Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 3:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. [...]
India's government has told the Delhi High Court that Telegram was warned about two weeks before it was blocked, and that the platform admitted it could not proactively detect the channels selling leaked exam papers. Telegram says it cooperated and the ban is unlawful. [...]
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, the answer is a simple no. The rush to adopt internal AI tools has left a massive trail of administrative debt: orphaned agents (AI tools left running after their creator leaves the company) and standing privileges (
2026 is the year agent harnesses go to production. The software that controls the model’s access to the outside world — harnesses like Codex, Claude Code, OpenCode, Pi, and Project Think — has matured to the point where teams are deploying agents as real, load-bearing infrastructure, not just prototypes. But building agents that survive production is hard. We learned this firsthand building Project Think as our first-party agent harness. In working with our customers to run agents in production, we found a common set of distributed systems problems that every agent faces when running in the cloud. When an agent is interrupted, how can it automatically and gracefully resume from where it left off, without losing context or wasting tokens? How can agents run untrusted code securely? How can agents use the tools they were trained for? A harness can’t solve these problems on its own. They’re tied to state, storage and compute — which means they’re dependent on the platform the agent runs on. That’s why we’re taking our learnings from hardening Project Think for production and bringing them to the Cloudflare Agents SDK as a base layer. Durable execution, dynamic code execution, a durable filesystem and dynamic workflows, now available to any harness building on Agents SDK. At the same time, a new layer has emerged above the harness. Frameworks like Flue wrap a harness with the project structures, conventions, integrations and developer experience that make agents productive to build. To solve these scaling challenges, there’s a new, three-layer stack that is emerging for building production-grade AI. Here is how the pieces fit together, moving from the user-facing developer experience down to the underlying
Latest
Thursday, June 18
Introduction Merely a few years ago, when asking about the state of quantum computing or the need for Post-Quantum Cryptography (PQC), the response would usually revolve around the ongoing PQC competition that NIST had brought to life in an attempt to identify algorithms for standardization. In 2022, Cloudflare started experimenting 1 with hybrid key agreement on its production edge, though most of the world outside a handful of research labs had barely registered that any of this mattered. The core argument of that work was that organizations n
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It
Market intelligence platform Klue suffered a OAuth breach that enabled the "Icarus" threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign. [...]
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned
Microsoft 365 helps keep services running, but protecting and recovering business data remains your responsibility. Acronis breaks down five gaps organizations should consider when evaluating Microsoft 365 data protection. [...]
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was
International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group. [...]
Weird DNS queries from svchost.exe (google.com.onion, wildcard + malformed domains) – anyone seen this on Windows?
I’m investigating a DNS-related alert and wanted to check if anyone has seen similar behavior in a Windows environment. We observed the following DNS queries from a Windows 11 host: * `google.com.onion` * `*google.com` * [`www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com`](http://www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com) * [`google.com`](http://google.com) All of these were generated within the same second by: * `svchost.exe` * Running as `NT AUTHORITY\SYSTEM` * Sysmon Event ID 22 (DNS query) Some key observations: * The `.onion` query returned **NXDOMAIN (DNS\_ERROR\_RCODE\_NAME\_ERROR)** * No follow-up connections or IP resolution were observed * The behavior looks like a burst of synthetic / malformed queries rather than user activity This pattern looks very similar to what people have reported on Samsung devices (MobileWIPS DNS probing / spoof detection), but this is a **Windows endpoint**. **Question:** 1. Has anyone seen similar DNS query patterns from `svchost.exe` on Windows endpoints? 2. Could this be: * DNS Client (Dnscache) behavior? * Some Windows network validation / spoof detection logic? * Or triggered indirectly by EDR/XDR tools interacting with DNS? 3. Any reliable way to map this definitively to a specific service under `svchost` using logs alone? At the moment, it looks benign (NXDOMAIN + no connections), but the `.onion` query is triggering alerts, so trying to confirm before suppressing. Appreciate any insights.
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 countries. We continue to believe that a better Internet is one where anyone with an idea can reach a global audience. Each year on the anniversary of Project Galileo, we announce new products, programs, and strategic partnerships. To celebrate our 12th anniversary this year, we’re publishing our first comprehensive report on cyberattacks targeting civil society, releasing case studies that explore the security needs of 16 Project Galileo participants, and announcing new project partners. Introducing a new annual report on cyberattacks against global civil society Because Project Galileo now includes 3,400 domains belonging to organizations in over 120 countries, Cloudflare has access to unique data regarding the cyber threats, attacks, and trends targeting civil society — a critical pillar of global democracy. In addition, because the Cloudflare network spans more than 335 cities in 125 countries and more than 20% of the web
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update system. [...]
A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. [...]
Apple has released security updates to patch a high-severity flaw affecting the Beats Studio Buds wireless earbuds that could allow attackers in Bluetooth range to spy on users' conversations. [...]
India's government has told the Delhi High Court that Telegram was warned about two weeks before it was blocked, and that the platform admitted it could not proactively detect the channels selling leaked exam papers. Telegram says it cooperated and the ban is unlawful. [...]
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, the answer is a simple no. The rush to adopt internal AI tools has left a massive trail of administrative debt: orphaned agents (AI tools left running after their creator leaves the company) and standing privileges (
Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems. [...]
Artist Morry Kolman will be livestreaming feeds of the NBA champions’ ticker-tape parade from NYC’s traffic cameras—and this time, the city’s Department of Transportation isn’t demanding he stop.
The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials. Here is the damage report: 🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot. 🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies. 🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list. ⚠️ Status: STILL active as of this publication. Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture. Read the full FortiBleed breakdown here: [https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/](https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/) Also check the leak here [https://hubs.la/Q04lQnV60](https://hubs.la/Q04lQnV60) \#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar
Internal Home Office tests of age-verification technology show the risks of life-altering errors. It’s moving forward anyway.
OpenAI appears to be testing a new subscription and experience for science use cases, but it's unclear if it'll be available to everyone regardless of their background. [...]
Wednesday, June 17
Overview The SignalRGB kernel driver, SignalIo.sys , contains two vulnerabilities involving improper access control and unsafe memory handling. The device object is created with an overly permissive Discretionary Access Control List (DACL) that allows user-mode processes to access privileged hardware operations through input/output control (IOCTL) commands. Additionally, several IOCTL handlers are susceptible to NULL pointer dereference conditions, which further enables low-privilege users to trigger kernel crashes and cause Denial of Service (DoS). Version 1.3.7.0 of the SignalRGB driver remediates these vulnerabilities. Description SignalRGB is a Windows application used for RGB lighting control and hardware monitoring. Its kernel component, SignalIo.sys , provides the low-level interfaces required to access and interact with hardware resources. The SignalIo.sys driver exposes privileged functionality intended for administrative or security operations, but the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices by using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, thereby allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. CVE-2026-8049 The \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN . This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the
From August 3, 2026, Google will use IP addresses from UK, EEA and Switzerland users for ad measurement and personalization. It lands as the ICO weighs new consent rules, and years after Google itself called using such signals to identify devices "wrong." [...]
[https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/](https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/)
Thought to share my top 10 cybersecurity podcast list and get your thoughts. Darknet Diaries: [https://darknetdiaries.com/](https://darknetdiaries.com/) Hacked: [https://open.spotify.com/show/21zZfOy7VCSIIWlJ64DElv](https://open.spotify.com/show/21zZfOy7VCSIIWlJ64DElv) Security Now: [https://twit.tv/shows/security-now](https://twit.tv/shows/security-now) Somaini's Trust Issues: [https://somainistrustissues.riverside.com/](https://somainistrustissues.riverside.com/) Risky Business: [https://risky.biz/](https://risky.biz/) Smashing Security: [https://www.smashingsecurity.com/](https://www.smashingsecurity.com/) Cybersecurity Simplified: [https://www.highwirenetworks.com/cybersecurity-podcasts/](https://www.highwirenetworks.com/cybersecurity-podcasts/) No Such Podcast: [https://www.nsa.gov/Podcast/](https://www.nsa.gov/Podcast/)
2026 is the year agent harnesses go to production. The software that controls the model’s access to the outside world — harnesses like Codex, Claude Code, OpenCode, Pi, and Project Think — has matured to the point where teams are deploying agents as real, load-bearing infrastructure, not just prototypes. But building agents that survive production is hard. We learned this firsthand building Project Think as our first-party agent harness. In working with our customers to run agents in production, we found a common set of distributed systems problems that every agent faces when running in the cloud. When an agent is interrupted, how can it automatically and gracefully resume from where it left off, without losing context or wasting tokens? How can agents run untrusted code securely? How can agents use the tools they were trained for? A harness can’t solve these problems on its own. They’re tied to state, storage and compute — which means they’re dependent on the platform the agent runs on. That’s why we’re taking our learnings from hardening Project Think for production and bringing them to the Cloudflare Agents SDK as a base layer. Durable execution, dynamic code execution, a durable filesystem and dynamic workflows, now available to any harness building on Agents SDK. At the same time, a new layer has emerged above the harness. Frameworks like Flue wrap a harness with the project structures, conventions, integrations and developer experience that make agents productive to build. To solve these scaling challenges, there’s a new, three-layer stack that is emerging for building production-grade AI. Here is how the pieces fit together, moving from the user-facing developer experience down to the underlying
Overview Earlier this year, a team at Praetorian was building Constantine , our automated 0-day discovery engine. I wanted to find techniques worth folding into it, so on the side I started poking at the FreeBSD kernel with Claude Code, running on Opus 4.6, which was the latest Opus model at the time. A few days of work turned up real bugs and a weekend after that produced two working exploits capable of escaping from a FreeBSD jail. This article is part of a two-part series. In part one, I will be focusing on the methodology used to uncover the identified vulnerabilities and part two will focus on the methodology we leveraged to develop and exploit the vulnerabilities. It’s been several months since I disclosed roughly eight separate vulnerabilities to the FreeBSD security team. The reality is that this is a volunteer team and they are likely overwhelmed by the sheer number of vulnerabilities being identified within FreeBSD by various security researchers leveraging large language models. Because of this, we can really only publicly discuss a single vulnerability we reported CVE-2026-3038 , a fairly straight-
Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet. The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw. "Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next
For security teams, the findings never stop, but confidence in knowing which ones matter is becoming harder to maintain. The problem is no longer visibility. It's validation. Security teams must decide which findings warrant action while operating under constant pressure and incomplete information. Increasingly, the challenge is not discovering potential risks. It is determining which risks
Lewis Brisbois, a national law firm founded in Los Angeles, told remote and hybrid employees to work from offices or use firm-issued computers after a cyberattack led it to block outside access to internal networks. The reported activity began at least June 5, when employees were warned about callers posing as internal IT staff and spoofing caller ID, a tactic that resembles recent FBI warnings about Silent Ransom Group targeting U.S. law firms through IT impersonation. Lewis Brisbois has not publicly attributed the incident to that group, confirmed data theft or said whether client services were affected.
Account takeovers are rising as attackers bypass traditional defenses through phishing, session hijacking, and MFA fatigue. Specops Software explores how device trust and continuous verification help reduce account takeover risk. [...]
Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. "Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,"
[https://dl.acm.org/doi/10.1145/3800506.3803487](https://dl.acm.org/doi/10.1145/3800506.3803487)
Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place. Today, we’re releasing the Cloudflare One stack, a set of skills you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare. Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever. The agent gap in network security Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents are not trained on the nuances of an organization's specific network topology or vendor configurations. By providing prescriptive and authoritative guidance, organizations can layer this context into their existing toolkit to make better use of the security products they are already deploying. Cloudflare has long been the easiest-to-deploy SASE vendor in the market. The stack extends that philosophy to agents: it gives them the context, tools, and structured reasoning they need to o
Microsoft is investigating a new issue preventing third-party applications from launching Microsoft Office applications or opening documents on up-to-date Windows systems. [...]
Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) plugin that is being actively exploited in the wild. [...]
After months of work, I’m excited to finally share [Brovan](https://github.com/AdvDebug/Brovan), my user-mode binary emulator. Brovan can emulate: \- PE binaries \- ELF binaries \- Memory dumps \- Even partially unknown or unrecognized binaries The goal is to make binary analysis, malware analysis and general binary research more flexible by giving full control over execution, memory, and runtime behavior in a contained environment. You can fully control and see everything the program does. Every syscall, function and network traffic. it can also run windows programs on linux and vice versa, although it is still in the early stages it will be improved.
Storage cost has always been a hot topic when log management discussion are on the table. In today’s enterprise ecosystems, organizations commonly ingest very high volumes of logs into their SIEM platforms from a wide range of sources, including servers, network devices, cloud environments, security tools, identity systems, and, in some cases, endpoint telemetry. To fit each enterprise’s needs,
As many as 145 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, OX Security, SafeDep, Socket, StepSecurity, and Synk. "A single npm account (
Your playbooks move fast, but GreyNoise helps them move smarter. Here are five ways GreyNoise drives better decisions in SOAR.
Tuesday, June 16
A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty program, calls the technique "Pickle in the Middle" and said it saw no exploitation in the wild.
TL;DR: Sulla is an open source SMB secret scanner for discovering credentials exposed in SMB shares across enterprise networks. It leverages our recently released Titus Go library, resulting in an easy-to-use, adaptable, and highly performant standalone binary. Every network penetration tester knows the struggle: reviewing network shares for sensitive material is a painful must-do. With anything more than a handful of shares, manual review quickly becomes tedious if not outright infeasible. But automated secret scanning solutions produce nearly unworkable quantities of output, with actual secrets few and far between, not to mention requiring a Windows attack box. Sulla solves this issue by combining Praetorian’s years of secrets detection innovation with a clean, user-friendly interface purpose-built for internal networks. The result is a focused SMB secret scanner that pentesters can run from any Linux box and trust to surface high-signal findings. Sulla is also integrated end-to-end in the Guard, Praetorian’s all-in-one Continuous Threat Exposure Management platform, ensuring SMB secrets are identified as they appear in your environment. How Sulla Scans SMB Shares for Secrets Sulla automatically discovers readable SMB shares, traverses their file trees, and scans their contents for secr
Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play
When we first launched DMARC Management , it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand. Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible. The DMARC Management dashboard offers a unified view of your email authentication posture. What email authentication actually does for you Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference. Email authentication is the set of DNS records that answers that question. There are four protocols that protect your domain: SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every email you send, so receiving servers can
Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and
Cybersecurity researchers have flagged two previously undocumented Windows variants of what was believed to be a Linux-only backdoor called SprySOCKS. "The Windows variants discovered are internally marked as WIN_DRV and WIN_PLUS," ESET said in a report shared with The Hacker News. "Both come with a hard-coded C&C [command-and-control] configuration and support communication over TCP, UDP,
Key findings US executives are more than four times as confident as their own practitioners that AI risk is under control, 29% to 7%. The UK gap runs the same direction, 18% to 11%. The board’s view and the team’s view aren’t the same view. ChatGPT sits in 7 in 10 IT estates and Microsoft […] The post The State of AI Risk Management in 2026 appeared first on Heimdal Security Blog .
i built an ai that caught a hacker hopping across 6 computers in the same second. then i made it prove every word.
i work in digital forensics. when a company gets hacked my job is to figure out what the attacker actually did and prove it. i built an ai to help. on a 22 computer case it caught 6 machines a hacker was hopping between in the exact same second, the kind of lateral movement youd never spot one machine at a time. it surfaced it for me to confirm, it doesnt decide anything on its own. but the part i actually care about: it cant report a finding unless it shows the exact tool output it came from. no proof, no claim. if it cant back it up, a check throws it out. you dont trust the ai, you check its work yourself. its open source and free, and it runs read only so it never touches the evidence. where it still misses things i published exactly what instead of hiding it. heres a folder of real forensic images, go try to make it spit out a wrong answer: https://sansorg.egnyte.com/fl/HhH7crTYT4JK#folder-link/HACKATHON-2026 5 min of it running, including a real screwup it catches and fixes itself: https://www.youtube.com/watch?v=jw6etogNzhY&t=70s code: https://github.com/TimothyVang/verdict-dfir tell me where it breaks, or send a fix.
In this post, we walk through different threats to Salesforce and how to detect them.
Monday, June 15
Remus Stealer is a rapidly evolving Malware-as-a-Service infostealer that emerged in 2026. Remus also shifted from Lumma's 32-bit architecture and traditional resolvers to 64-bit with EtherHiding and enhanced anti-analysis (e.g., sandbox DLL checks, PST honeypot detection). * It utilizes EtherHiding, storing C2 addresses in Ethereum smart contracts to avoid takedowns. * The malware steals credentials, browser cookies, authentication tokens, and cryptocurrency wallet data. * Session theft is one of Remus's most dangerous capabilities because it can bypass MFA by stealing active session cookies directly from browser memory. * The malware shows strong technical similarities to Lumma Stealer and may represent its evolutionary successor. * Financial services, healthcare, government, technology firms, and MSPs are particularly attractive targets. * Common infection vectors include phishing, fake software downloads, malvertising, and fake CAPTCHA campaigns, as well as SEO poisoning and fake GitHub projects to trick tech-savvy users. See whole [ANY.RUN](http://ANY.RUN) execution chain at [https://app.any.run/tasks/ae43628b-9d56-4c43-abac-fae7266c749f/](https://app.any.run/tasks/ae43628b-9d56-4c43-abac-fae7266c749f/) Check out whole malware analysis report at [https://any.run/malware-trends/remus/](https://any.run/malware-trends/remus/)
While fuzzing the Kubernetes AWS KMS provider, researchers at Syntetisk found a denial-of-service issue in aws-encryption-provider where an empty ciphertext field could trigger an unrecovered Go panic and crash the plugin process. The writeup includes root-cause analysis, crash path details, reproducer examples, impact discussion, and disclosure timeline
Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale. Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures. As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible. Incorporating Ensemble’s expertise The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a quantization or hardware problem, Ensemble has explored new model building blocks that can make neural networks more compact and efficient at the architectural level. A core part of this work is NdLinear , a drop-in replacement for standard linear layers in transformer models that operates directly on multidimensional activations rather than flattening structure away. This enables models to preserve meaningful axes, such as heads, channels
🎉 A new 13Cubed episode is up! Have you ever wondered how you can look at the USN Journal on a live and running system? In this episode, we'll dive in to see how it actually works and whether it matches what we’ve been taught. [https://www.youtube.com/watch?v=eSLHyqZlglk](https://www.youtube.com/watch?v=eSLHyqZlglk)
Rank One, whose board includes a former CIA deputy director and a former FBI science chief, supplied face recognition to Meta for internal development of its smart glasses app.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Light switches. How on earth is it so hard to find decent light switches?! It sounds ridiculous until you actually spend enough time looking for ones that meet two simple criteria: Aren't stateful (switch is up or down, has to be push-button) Looks good Now, I'm conscious that this is also very likely an Australian problem, more so than a European or North American one. We're pretty limited by what we get down here, and because it involves electricity, the switches here have to pass all sorts of local Aussie tests and standards. I can't just jump onto eBay or Amazon and ship a box of good ones over from the US. So we're stuck with these rubbish ones... unless you can find me something decent? Please?!
This post explores four vectors for threat actors to abuse Azure Storage to maliciously encrypt victim blobs, including step-by-step explanations and event codes for detection.
Sunday, June 14
Readers reply: Experts say we should use passkeys, but can a smartphone pin really be safer than a password?
The long-running series in which readers answer other readers’ questions on subjects ranging from trivial flights of fancy to profound scientific and philosophical concepts This week’s question: Is ‘ripen at home’ fruit the supermarkets’ idea of a joke? I’ve been struggling to get my head around the idea that a passkey, which can be a pin on your phone, or facial recognition, can be safer than using a complicated password and two-factor authentication. I get that having something unique to your device, not stored on a company’s server, is unphishable and less hackable by cybercrims, but what if your phone is nicked and someone guesses the password? And what if you lose your phone? Continue reading...
An interesting write-up from [https://x.com/unrequitedlyfe](https://x.com/unrequitedlyfe) describing how an accidental login led to access to a threat actor-controlled phishing website. The blog provides a behind-the-scenes look at phishing infrastructure, operational mistakes made by the actor, backend panels, and infrastructure pivoting opportunities that can assist threat intelligence investigations. Worth a read for those interested in phishing analysis, OSINT, and threat actor infrastructure tracking.
Saturday, June 13
Two Chrome extensions presenting as **adblockers** also intercept every prompt and response on ChatGPT, Claude, Gemini, Copilot, Grok, Perplexity, DeepSeek, and Meta AI, exfiltrating them to operator-controlled servers. They also check whether you're a paid user on 5 of the 8 platforms (ChatGPT, Claude, Perplexity, Copilot, Gemini). Both share the same capture engine, payload format, and partnerId. **Two brands, one operation**. * [Smart Adblocker - Chrome Web Store](https://chromewebstore.google.com/detail/smart-adblocker/iojpcjjdfhlcbgjnpngcmaojmlokmeii) \``iojpcjjdfhlcbgjnpngcmaojmlokmeii`\`, 80k users * [Adblock for Browser - Chrome Web Store](https://chromewebstore.google.com/detail/Adblock%20for%20Browser/jcbjcocinigpbgfpnhlpagidbmlngnnn) **\`**`jcbjcocinigpbgfpnhlpagidbmlngnnn`\`, 10k users Report covers the IOCs, live remote config, reproduction curl, and full target breakdown. Full write-up: [MalExt Sentry - Malicious Browser Extension Tracker](https://malext.io/reports/PromptSnatcher/) Chrome Web Store abuse reports filed.
Using Claude Code to find and weaponise an XSS in MeshCentral using a rogue client, resulting in RCE.
Plus: AI bug hunting fuels Microsoft’s biggest-ever Patch Tuesday, ShinyHunters ransomware gang exploits an Oracle zero-day, and more.
In my blog article I analyze how random numbers in older PHP versions were generated. It turns out you can, under certain circumstances, derive the id of the process which generated a random number! While it has exactly 0 practical application, it was super fun to dig into the php's source code.
Friday, June 12
Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)
Three posts? In three days? Are we insane? We're home alone, there's no one to stop us, and we're up past bedtime. So, we need to talk about Splunk. On June 10th, Splunk published this CVE-2026-20253 advisory : It has everything that we love: No authentication requirements, An almost full-mark CVSS score, Claims to be a security product, Vulnerability name longer than the average piece of spaghetti. We immediately ha
Heimdal sysadmin Alex Panait spent weeks testing Claude Cowork inside the company. His verdict was blunt. It felt like onboarding a junior employee with no manager, no scoped access, and no clear accountability when something goes wrong. Except this one can delete your SharePoint. That is the uncomfortable reality behind autonomous AI desktop assistants. They […] The post Your Next Insider Threat May Be an AI Coworker appeared first on Heimdal Security Blog .
Security Insights provides actionable security recommendations for every Cloudflare account. To find these insights, we perform regular scans for all accounts, zones, and DNS records, looking for potential security risks and misconfigurations. However, two key issues emerged. First, our scans were too infrequent. Scans were only being performed every week or two, and therefore newly introduced security risks could remain undetected for up to two weeks. Second, automatic scanning was opt-in for many free plan accounts – meaning lots of accounts weren’t being scanned at all. The risks of infrequent or nonexistent scans are rising: as automated attacks accelerate, the window for detecting security misconfigurations is shrinking. Making sure that we’re finding these issues for all of our customers is crucial to our aim of building a better Internet for everyone. We calculated that to increase our scanning frequencies and enable automatic scanning for all accounts, we would need to increase our scanning throughput by around 10x on average – from 10 scans per second to 100 per second. But our system was already struggling with its load: millions of events were filling up our backlog waiting to be processed; our API was frequently timing out; our processes were crashing. We needed to fix our system, and we needed to make it scale . This is the story of how we increased scanning throughput for Security Insights by more than 10x, enabled security insights for millions of customers, and doubled our scanning frequency for all customers. Read on to find out how we achieved these improvements. How we scan for security insights At a high level, our automatic security scans are triggered by a scheduler. When an account or zone is due for a s
Cybersecurity failures now happen beyond the OSI stack. Faulty governance, the human factor, and AI tools create new attack surfaces. After seven years working across cybersecurity, cloud infrastructure, and Zero Trust architecture, Jayal Yadav explains how we got here and what organizations still get wrong. “The original seven layers of the OSI model still matter. […] The post The OSI Model and Its Two Missing Layers appeared first on Heimdal Security Blog .
What happens when the bits of an RSA private key are heavily biased toward 0 instead of being randomly generated? The public key’s bits could be biased enough for us to detect these incorrectly generated keys in the wild. Together with Hanno Böck of the badkeys project, we found hundreds of unique keys that not only have this property, but can be quickly factored. We also found the bug that led to many of these keys and analyzed historical data to track the issue over time. Surprisingly, the pattern of 0 bits is often highly structured, allowing us to develop a powerful polynomial-based cryptanalytic technique that exploits the pattern. Figure 1: Two patterns of RSA moduli with repeated blocks of 0 bits seen in real-world examples. These “short-sleeve” keys, named for how the 0 bits don’t fully cover the limbs of the big integers, largely fell into two patterns. Pattern 1 remains unexplained, but we traced pattern 2 to a type mismatch in big-integer code from old versions of the CompleteFTP file transfer software. The CompleteFTP bug also generated vulnerable short-sleeve DSA keys, and we recovered 603 unique RSA private keys and 74 DSA keys from internet scans. If you used CompleteFTP to generate host keys between December 2016 and December 2023, CompleteFTP has released a tool to check whether your keys need to be regenerated. How we found
Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751)
It is yet another day in this parallel universe of security, where the devices we bolt onto the edge of our networks to keep the bad people out are, with remarkable consistency, the exact thing that let the bad people in. While we’ve seemingly had a breather from traditional SSL VPN exploitation season (you know, the one where every edge appliance vendor takes it in turns to have a very bad week ), it’s now time to pull up a chair and welcome ourselves back to another group therapy session. Welcome back to another watchTowr Labs blog post. On the 8th of June 2026, Check Point released hotfixes for a pair of vulnerabilities in their Mobile Access/SSL VPN, Remote Access VPN, and Spark Firewall products, specifically within the "deprecated" IKEv1 VPN code. The headline act was CVE-2026-50751, with a CVSS score of 9.3 for an Authentication Bypass. For the AI threat intel bots scraping our posts every few minutes (yes, we know), these vulnerabilities align with CWE-1337 Fun Fridays. Naturally, when the words “VPN” and “Authentication Bypass” are in the vicinity, a CISA KEV listing is not far behind - and this time is no exception. Various sources indicate that this vulnerability has been exploited in the wild since 7th May 2026 (roughly a month before anyone received a patch), and that, per Check Point, there were "a few dozen targeted organizations".
Thursday, June 11
A WIRED investigation found dozens of “nudified” deepfake images and videos on Grok's website, including nonconsensual depictions of celebrities and at least one prominent US politician.
On June 2, the White House signed a new executive order (EO), “Promoting Advanced Artificial Intelligence Innovation and Security.” While most coverage has focused on the voluntary framework for frontier model access, there’s language around defensive cybersecurity that also deserves attention from security leaders.The order directs CISA to establish or expand federal programs and cybersecurity […] The post What the New AI Executive Order Means for Federal Security Testing appeared first on Synack .
Reverse engineered BLE protocol of a $7 generic Chinese smart ring from Temu, and built an iOS app around it
A joint congressional report describes a spam operation that turned tens of thousands of fake podcasts into search-engine bait for illegal pharmacy and scam sites.