Category: Cybersecurity

Nov 11, 2025Ravie LakshmananSoftware Supply Chain / Malware

Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories.

“We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub,” Veracode said in an analysis.

The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions.

The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times, according to data from npm-stat. Veracode also said it identified another npm package named “8jfiesaf83” with similar functionality. It’s no longer available for download, but it appears to have been downloaded 1,016 times.

Further analysis of one of the malicious versions of the package has revealed that the postinstall script is configured to download a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after 2025-11-06 UTC.

It’s also designed to run a JavaScript file named “verify.js” that checks for the presence of certain GITHUB_ variables that are set as part of a GitHub Actions workflow, and exfiltrates the collected data in encrypted format to a text file hosted on the “app.github[.]dev” subdomain.

“The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.”

Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that’s sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.

According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications.

“It’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry,” Zimperium researcher Vishnu Pratapagiri said in a report last week.

“Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”

The threat actor, in their advertisement for Fantasy Hub, refers to victims as “mammoths,” a term often used by Telegram-based cybercriminals operating out of Russia.

Customers of the e-crime solution receive instructions related to creating fake Google Play Store landing pages for distribution, as well as the steps to bypass restrictions. Prospective buyers can choose the icon, name, and page they wish to receive a slick-looking page.

The bot, which manages paid subscriptions and builder access, is also designed to let threat actors upload any APK file to the service and return a trojanized version with the malicious payload embedded into it. The service is available for one user (i.e., one active session) for a weekly price of $200 or for $500 per month. Users can also opt for a yearly subscription that costs $4,500.

The command-and-control (C2) panel associated with the malware provides details about the compromised devices, along with information about the subscription status itself. The panel also offers the attackers the ability to issue commands to collect various kinds of data.

“Sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats,” Zimperium said. “This design closely mirrors HyperRat, an Android RAT that was detailed last month.”

As for the malware, it abuses the default SMS privileges like ClayRAT to obtain access to SMS messages, contacts, camera, and files. By prompting the user to set it as the default SMS handling app, it allows the malicious program to obtain multiple powerful permissions in one go rather than having to ask for individual permissions at runtime.

The dropper apps have been found to masquerade as a Google Play update to lend it a veneer of legitimacy and trick users into granting it the necessary permissions. Besides using fake overlays to obtain banking credentials associated with Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware relies on an open-source project to stream camera and microphone content in real-time over WebRTC.

“The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components to achieve full device compromise,” Pratapagiri said. “Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time.”

The disclosure comes as Zscaler ThreatLabz revealed that Android malware transactions increased by 67% year-over-year, driven by sophisticated spyware and banking trojans. As many as 239 malicious applications have been flagged on the Google Play Store, with the apps being downloaded 42 million times collectively between June 2024 and May 2025.

Some of the noteworthy Android malware families observed during the time period were Anatsa (aka TeaBot and Toddler), Void (aka Vo1d), and a never-before-seen Android RAT dubbed Xnotice that has targeted job seekers in the oil and gas sector in the Middle East and North African regions by passing off as job application apps distributed via fake employment portals.

Once installed, the malware steals banking credentials through overlays, and collects other sensitive data like multi-factor authentication (MFA) codes, SMS messages, and screenshots.

“Threat actors deploy sophisticated banking trojans like Anatsa, ERMAC, and TrickMo, which often masquerade as legitimate utilities or productivity apps on both official and third-party app stores,” the company said. “Once installed, they use highly deceptive techniques to capture usernames, passwords, and even the two-factor authentication (2FA) codes needed to authorize transactions.”

The findings also follow an advisory from CERT Polska about new samples of Android malware called NGate (aka NFSkate) targeting users of Polish banks to plunder card details via Near Field Communication (NFC) relay attacks. Links to the malicious apps are distributed via phishing emails or SMS messages that purport to come from the banks and warn recipients of a technical problem or a security incident, thereby nudging them into installing the app.

Upon launching the app in question, the victim is prompted to verify their payment card directly within the app by tapping it on the back of the Android device. However, doing so causes the app to stealthily capture the card’s NFC data and exfiltrate it to an attacker-controlled server, or directly to a companion app installed by the threat actor who wants to withdraw cash from an ATM.

“The campaign is designed to enable unauthorized cash withdrawals at ATMs using victims’ own payment cards,” the agency said. “Criminals don’t physically steal the card; they relay the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at an ATM.”

AI-enabled supply chain attacks jumped 156% last year. Discover why traditional defenses are failing and what CISOs must do now to protect their organizations.

Download the full CISO’s expert guide to AI Supply chain attacks here.

TL;DR

• AI-enabled supply chain attacks are exploding in scale and sophistication – Malicious package uploads to open-source repositories jumped 156% in the past year.
• AI-generated malware has game-changing characteristics – It’s polymorphic by default, context-aware, semantically camouflaged, and temporally evasive.
• Real attacks are already happening – From the 3CX breach affecting 600,000 companies to NullBulge attacks weaponizing Hugging Face and GitHub repositories.
• Detection times have dramatically increased – IBM’s 2025 report shows breaches take an average of 276 days to identify, with AI-assisted attacks potentially extending this window.
• Traditional security tools are struggling – Static analysis and signature-based detection fail against threats that actively adapt.
• New defensive strategies are emerging – Organizations are deploying AI-aware security to improve threat detection.
• Regulatory compliance is becoming mandatory – The EU AI Act imposes penalties of up to €35 million or 7% of global revenue for serious violations.
• Immediate action is critical – This isn’t about future-proofing but present-proofing.

The Evolution from Traditional Exploits to AI-Powered Infiltration

Remember when supply chain attacks meant stolen credentials and tampered updates? Those were simpler times. Today’s reality is far more interesting and infinitely more complex.

The software supply chain has become ground zero for a new breed of attack. Think of it like this: if traditional malware is a burglar picking your lock, AI-enabled malware is a shapeshifter that studies your security guards’ routines, learns their blind spots, and transforms into the cleaning crew.

Take the PyTorch incident. Attackers uploaded a malicious package called torchtriton to PyPI that masqueraded as a legitimate dependency. Within hours, it had infiltrated thousands of systems, exfiltrating sensitive data from machine learning environments. The kicker? This was still a “traditional” attack.

Fast forward to today, and we’re seeing something fundamentally different. Take a look at these three recent examples –

1. NullBulge Group – Hugging Face & GitHub Attacks (2024)

A threat actor called NullBulge conducted supply chain attacks by weaponizing code in open-source repositories on Hugging Face and GitHub, targeting AI tools and gaming software. The group compromised the ComfyUI_LLMVISION extension on GitHub and distributed malicious code through various AI platforms, using Python-based payloads that exfiltrated data via Discord webhooks and delivered customized LockBit ransomware.

2. Solana Web3.js Library Attack (December 2024)

On December 2, 2024, attackers compromised a publish-access account for the @solana/web3.js npm library through a phishing campaign. They published malicious versions 1.95.6 and 1.95.7 that contained backdoor code to steal private keys and drain cryptocurrency wallets, resulting in the theft of approximately $160,000–$190,000 worth of crypto assets during a five-hour window.

3. Wondershare RepairIt Vulnerabilities (September 2025)

The AI-powered image and video enhancement application Wondershare RepairIt exposed sensitive user data through hardcoded cloud credentials in its binary. This allowed potential attackers to modify AI models and software executables and launch supply chain attacks against customers by replacing legitimate AI models retrieved automatically by the application.

Download the CISO’s expert guide for full vendor listings and implementation steps.

The Rising Threat: AI Changes Everything

Let’s ground this in reality. The 3CX supply chain attack of 2023 compromised software used by 600,000 companies worldwide, from American Express to Mercedes-Benz. While not definitively AI-generated, it demonstrated the polymorphic characteristics we now associate with AI-assisted attacks: each payload was unique, making signature-based detection useless.

According to Sonatype’s data, malicious package uploads jumped 156% year-over-year. More concerning is the sophistication curve. MITRE’s recent analysis of PyPI malware campaigns found increasingly complex obfuscation patterns consistent with automated generation, though definitive AI attribution remains challenging.

Here’s what makes AI-generated malware genuinely different:

• Polymorphic by default: Like a virus that rewrites its own DNA, each instance is structurally unique while maintaining the same malicious purpose.
• Context-aware: Modern AI malware includes sandbox detection that would make a paranoid programmer proud. One recent sample waited until it detected Slack API calls and Git commits, signs of a real development environment, before activating.
• Semantically camouflaged: The malicious code doesn’t just hide; it masquerades as legitimate functionality. We’ve seen backdoors disguised as telemetry modules, complete with convincing documentation and even unit tests.
• Temporally evasive: Patience is a virtue, especially for malware. Some variants lie dormant for weeks or months, waiting for specific triggers or simply outlasting security audits.

Why Traditional Security Approaches Are Failing

Most organizations are bringing knives to a gunfight, and the guns are now AI-powered and can dodge bullets.

Consider the timeline of a typical breach. IBM’s Cost of a Data Breach Report 2025 found it takes organizations an average of 276 days to identify a breach and another 73 days to contain it. That’s nine months where attackers own your environment. With AI-generated variants that mutate daily, your signature-based antivirus is essentially playing whack-a-mole blindfolded.

AI isn’t just creating better malware, it’s revolutionizing the entire attack lifecycle:

• Fake Developer Personas: Researchers have documented “SockPuppet” attacks where AI-generated developer profiles contributed legitimate code for months before injecting backdoors. These personas had GitHub histories, Stack Overflow participation, and even maintained personal blogs – all generated by AI.
• Typosquatting at Scale: In 2024, security teams identified thousands of malicious packages targeting AI libraries. Names like openai-official, chatgpt-api, and tensorfllow (note the extra ‘l’) trapped thousands of developers.
• Data Poisoning: Recent Anthropic Research demonstrated how attackers could compromise ML models at training time, inserting backdoors that activate on specific inputs. Imagine your fraud detection AI suddenly ignoring transactions from specific accounts.
• Automated Social Engineering: Phishing isn’t just for emails anymore. AI systems are generating context-aware pull requests, comments, and even documentation that appears more legitimate than many genuine contributions.

A New Framework for Defense

Forward-thinking organizations are already adapting, and the results are promising.

The new defensive playbook includes:

• AI-Specific Detection: Google’s OSS-Fuzz project now includes statistical analysis that identifies code patterns typical of AI generation. Early results show promise in distinguishing AI-generated from human-written code – not perfect, but a solid first line of defense.
• Behavioral Provenance Analysis: Think of this as a polygraph for code. By tracking commit patterns, timing, and linguistic analysis of comments and documentation, systems can flag suspicious contributions.
• Fighting Fire with Fire: Microsoft’s Counterfit and Google’s AI Red Team are using defensive AI to identify threats. These systems can identify AI-generated malware variants that evade traditional tools.
• Zero-Trust Runtime Defense: Assume you’re already breached. Companies like Netflix have pioneered runtime application self-protection (RASP) that contains threats even after they execute. It’s like having a security guard inside every application.
• Human Verification: The “proof of humanity” movement is gaining traction. GitHub’s push for GPG-signed commits adds friction but dramatically raises the bar for attackers.

The Regulatory Imperative

If the technical challenges don’t motivate you, perhaps the regulatory hammer will. The EU AI Act isn’t messing around, and neither are your potential litigators.

The Act explicitly addresses AI supply chain security with comprehensive requirements, including:

• Transparency obligations: Document your AI usage and supply chain controls
• Risk assessments: Regular evaluation of AI-related threats
• Incident disclosure: 72-hour notification for AI-involved breaches
• Strict liability: You’re responsible even if “the AI did it”

Penalties scale with your global revenue, up to €35 million or 7% of worldwide turnover for the most serious violations. For context, that would be a substantial penalty for a large tech company.

But here’s the silver lining: the same controls that protect against AI attacks typically satisfy most compliance requirements.

Your Action Plan Starts Now

The convergence of AI and supply chain attacks isn’t some distant threat – it’s today’s reality. But unlike many cybersecurity challenges, this one comes with a roadmap.

Immediate Actions (This Week):

• Audit your dependencies for typosquatting variants.
• Enable commit signing for critical repositories.
• Review packages added in the last 90 days.

Short-term (Next Month):

• Deploy behavioral analysis in your CI/CD pipeline.
• Implement runtime protection for critical applications.
• Establish “proof of humanity” for new contributors.

Long-term (Next Quarter):

• Integrate AI-specific detection tools.
• Develop an AI incident response playbook.
• Align with regulatory requirements.

The organizations that adapt now won’t just survive, they’ll have a competitive advantage. While others scramble to respond to breaches, you’ll be preventing them.

For the full action plan and recommended vendors, download the CISO’s guide PDF here.

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control.

“Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs,” the Genians Security Center (GSC) said in a technical report.

What’s notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google’s asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025.

The development marks the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices. The activity is also preceded by an attack chain in which the attackers approach targets via spear-phishing emails to obtain access to their computers, and leverage their logged-in KakaoTalk chat app sessions to distribute the malicious payloads to their contacts in the form of a ZIP archive.

The spear-phishing emails are said to mimic legitimate entities like the National Tax Service to deceive recipients into opening malicious attachments to deliver remote access trojans like Lilith RAT that can remotely commandeer compromised machines and deliver additional payloads.

Konni Attack Flow

“The threat actor stayed hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user was absent,” GSC noted. “In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment.”

The deployed malware on the victim’s computer allows the threat actors to carry out internal reconnaissance and monitoring, as well as exfiltrate victims’ Google and Naver account credentials. The stolen Google credentials are then used to log in to Google’s Find Hub and initiate a remote wipe of their devices.

In one case, the attackers have been found to sign into a recovery email account registered under Naver, delete security alert emails from Google, and empty the inbox’s trash folder to cover up traces of the nefarious activity.

The ZIP file propagated via the messaging app contains a malicious Microsoft Installer (MSI) package (“Stress Clear.msi”), which abuses a valid signature issued to a Chinese company to give the application an illusion of legitimacy. Once launched, it invokes a batch script to perform initial setup and proceeds to run a Visual Basic Script (VB Script) that displays a fake error message about a language pack compatibility issue, while the malicious commands are executed in the background.

This includes launching an AutoIt script that’s configured to run every minute by means of a scheduled task in order to execute additional commands received from an external server (“116.202.99[.]218”). While the malware shares some similarities with Lilith RAT, it has been codenamed EndRAT (aka EndClient RAT by security researcher Ovi Liber) due to the differences observed.

Genians said the Konni APT actors have also utilized an AutoIt script to launch Remcos RAT version 7.0.4, which was released by its maintainers, Breaking Security, on September 10, 2025, indicating that the adversary is actively using newer versions of the trojan in its attacks. Also observed on victim devices are Quasar RAT and RftRAT, another trojan previously put to use by Kimsuky in 2023.

“This suggests that the malware is tailored to Korea-focused operations and that obtaining relevant data and conducting in-depth analysis requires substantial effort,” the South Korean cybersecurity company said.

Lazarus Group’s New Comebacker Variant Detailed

The disclosure comes as ENKI detailed the Lazarus Group’s use of an updated version of the Comebacker malware in attacks aimed at aerospace and defense organizations using tailored Microsoft Word document lures consistent with an espionage campaign. The lures impersonate Airbus, Edge Group, and the Indian Institute of Technology Kanpur.

The infection chain kicks off when victims open the file and enable macros, causing the embedded VBA code to execute and deliver a decoy document that’s displayed to the user, along with a loader component that’s responsible for launching Comebacker in memory.

The malware, for its part, establishes communication with a command-and-control (C2) server over HTTPS and enters into a loop to poll for new commands or download an encrypted payload and execute it.

“The actor’s use of highly specific lure documents indicates that this is a targeted spear phishing campaign,” ENKI said in a technical report. “Although there are no reports of victims so far, the C2 infrastructure remains active at the time of this publication.”

Kimsuky Uses a New JavaScript Dropper

The findings also coincide with the discovery of a new JavaScript-based malware dropper that has been employed by Kimsuky in its recent operations, demonstrating the actor’s continued refinement of its malware arsenal. The initial access mechanism by which the JavaScript malware is distributed is currently not known.

Kimsuky JavaScript Dropper Flow

The starting point of the attack is an initial JavaScript file (“themes.js”) that contacts an adversary-controlled infrastructure to fetch more JavaScript code that’s capable of executing commands, exfiltrating data, and retrieving a third-stage JavaScript payload to create a scheduled task to launch the first JavaScript file every minute and launch an empty Word document, likely as a decoy.

“Since the Word document is empty and does not run any macros in the background, it may be a lure,” the Pulsedive Threat Research said in an analysis published last week.

Nov 10, 2025Ravie LakshmananVulnerability / Incident Response

Google’s Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet’s Triofox file-sharing and remote access platform.

The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads.

The tech giant said it observed a threat cluster tracked as UNC6485 weaponizing the flaw as far back as August 24, 2025, nearly a month after Gladinet released patches for the flaw in version 16.7.10368.56560. It’s worth noting that CVE-2025-12480 is the third flaw in Triofox that has come under active exploitation this year alone, after CVE-2025-30406 and CVE-2025-11371.

“Added protection for the initial configuration pages,” according to release notes for the software. “These pages can no longer be accessed after Triofox has been set up.”

Mandiant said the threat actor weaponized the unauthenticated access vulnerability to gain access to the configuration pages, and then used them to create a new native admin account, Cluster Admin, by running the setup process. The newly created account was subsequently used to conduct follow-on activities.

“To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in antivirus feature,” security researchers Stallone D’Souza, Praveeth DSouza, Bill Glynn, Kevin O’Flynn, and Yash Gupta said.

“To set up the antivirus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the antivirus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account.”

The attackers, per Mandiant, ran their malicious batch script (“centre_report.bat”) by configuring the path of the antivirus engine to point to the script. The script is designed to download an installer for Zoho Unified Endpoint Management System (UEMS) from 84.200.80[.]252, and use it to deploy remote access programs like Zoho Assist and AnyDesk on the host.

The remote access afforded by Zoho Assist was leveraged to conduct reconnaissance, followed by attempts to change passwords for existing accounts and add them to local administrators and the “Domain Admins” group for privilege escalation.

As a way to sidestep detection, the threat actors downloaded tools like Plink and PuTTY to set up an encrypted tunnel to a command-and-control (C2) server over port 433 via SSH with the ultimate goal of allowing inbound RDP traffic.

While the ultimate objective of the campaign remains unknown, it’s advised that Triofox users update to the latest version, audit admin accounts, and verify that Triofox’s antivirus engine is not configured to execute unauthorized scripts or binaries.

According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user’s browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low.

What’s emerging isn’t just a blindspot. It’s a parallel threat surface: unmanaged extensions acting like supply chain implants, GenAI tools accessed through personal accounts, sensitive data copy/pasted directly into prompt fields, and sessions that bypass SSO altogether.

This article unpacks the key findings from the report and what they reveal about the shifting locus of control in enterprise security.

GenAI Is Now the Top Data Exfiltration Channel

The rise of GenAI in enterprise workflows has created a massive governance gap. Nearly half of employees use GenAI tools, but most do so through unmanaged accounts, outside of IT visibility.

Key stats from the report:

• 77% of employees paste data into GenAI prompts
• 82% of those pastes come from personal accounts
• 40% of uploaded files contain PII or PCI
• GenAI accounts for 32% of all corporate-to-personal data movement

Legacy DLP tools weren’t designed for this. The browser has become the dominant channel for copy/paste exfiltration, unmonitored and policy-free.

AI Browsers Are An Emerging Threat Surface

Another emerging browser-based threat surface is ‘agentic’ AI browsers, which blend the traditional security risks of browsers with the new concerns over AI usage.

AI browsers like OpenAI’s Atlas, Arc Search, and Perplexity Browser are redefining how users interact with the web, merging search, chat, and browsing into a single intelligent experience. These browsers integrate large language models directly into the browsing layer, enabling them to read, summarize, and reason over any page or tab in real time. For users, this means seamless productivity and contextual assistance. But for enterprises, it represents a new and largely unmonitored attack surface: an “always-on co-pilot” that quietly sees and processes everything an employee can, without policy enforcement or visibility into what’s being shared with the cloud.

The risks are significant and multifaceted: session memory leakage exposes sensitive data through AI-powered personalization; invisible “auto-prompting” sends page content to third-party models; and shared cookies blur identity boundaries, enabling potential hijacks. With no enterprise-grade guardrails, these AI browsers effectively bypass traditional DLP, SSE, and browser security tools, creating a file-less, invisible path for data exfiltration. As organizations embrace GenAI and SaaS-driven workflows, understanding and addressing this emerging blind spot is critical to preventing the next generation of data leaks and identity compromises.

Browser Extensions: The Most Widespread and Least Governed Supply Chain

99% of enterprise users have at least one extension installed. Over half grant high or critical permissions. Many are either sideloaded or published by Gmail accounts, with no verification, updates, or accountability.

From the telemetry:

• 26% of extensions are sideloaded
• 54% are published by Gmail accounts
• 51% haven’t been updated in over a year
• 6% of GenAI-related extensions are classified as malicious

This isn’t about productivity anymore, it’s an unmanaged software supply chain embedded in every endpoint.

Identity Governance Ends at the IdP. Risk Starts in the Browser.

The report finds that over two-thirds of logins happen outside of SSO, and nearly half use personal credentials, making it impossible for security teams to know who is accessing what, or from where.

Breakdown:

• 68% of corporate logins are done without SSO
• 43% of SaaS logins use personal accounts
• 26% of users reuse passwords across multiple accounts
• 8% of browser extensions access users’ identities or cookies

Attacks like Scattered Spider proved this: browser session tokens, not passwords, are now the primary target.

SaaS and Messaging Apps Are Quietly Exfiltrating Sensitive Data

Workflows that once relied on file uploads have shifted toward browser-based pasting, AI prompting, and third-party plugins. Most of this activity now occurs in the browser layer, not the app.

Observed behaviors:

• 62% of pastes into messaging apps include PII/PCI
• 87% of that happens via non-corporate accounts
• On average, users paste 4 sensitive snippets per day into non-corporate tools

In incidents like the Rippling/Deel leak, the breach didn’t involve malware or phishing, it came from unmonitored chat apps inside the browser.

Traditional Tools Weren’t Built for This Layer

EDR sees processes. SSE sees network traffic. DLP scans files. None of them inspect what’s happening inside the session, like which SaaS tab is open, what data is being pasted, or which extension is injecting scripts.

Security teams are blind to:

• Shadow AI usage and prompt inputs
• Extension activity and code changes
• Personal vs. corporate account crossovers
• Session hijacking and cookie theft

That’s why securing the browser requires a new approach.

Session-Native Controls Are the Next Frontier

To regain control, security teams need browser-native visibility, capabilities that operate at the session level without disrupting user experience.

What this includes:

• Monitoring copy/paste and uploads across apps
• Detecting unmanaged GenAI tools and extensions
• Enforcing session isolation and SSO everywhere
• Applying DLP to non-file-based interactions

A modern browser security platform, like the one outlined in the full report, can provide these controls without forcing users onto a new browser.

Read the Full Report to See the Blindspots You’re Missing

The Browser Security Report 2025 offers a data-rich view into how the browser has quietly become the most critical and vulnerable endpoint in the enterprise. With insights from millions of real browser sessions, it maps where today’s controls fail and where modern breaches begin.

Download the full report to see what traditional controls are missing, and what top CISOs are doing next.

Cyber threats didn’t slow down last week—and attackers are getting smarter. We’re seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild.

But that’s just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week’s roundup highlights a clear shift: cybercrime is evolving fast, and the lines between technical stealth and strategic coordination are blurring.

It’s worth your time. Every story here is about real risks that your team needs to know about right now. Read the whole recap.

⚡ Threat of the Week

Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs — Curly COMrades, a threat actor supporting Russia’s geopolitical interests, has been observed abusing Microsoft’s Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run completely outside the host operating system’s visibility, effectively bypassing endpoint security tools. The campaign, observed in July 2025, involved the deployment of CurlyShell and CurlyCat. The victims were not publicly identified. The threat actors are said to have configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM’s traffic travels through the host’s network stack using Hyper-V’s internal Network Address Translation (NAT) service, causing all malicious outbound communication to appear to originate from the legitimate host machine’s IP address. Further investigation has revealed that the attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor, while disabling its graphical management interface, Hyper-V Manager. The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX and VMCX files corresponding to a pre-built Alpine Linux VM. Lastly, the threat actors used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and launch it with the name WSL, a deception tactic meant to give the impression that the Windows Subsystem for Linux was employed. “The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation,” Bitdefender said. The findings paint a picture of a threat actor that uses sophisticated methods to maintain long-term access in target networks, while leaving a minimal forensic footprint.

• ‘Whisper Leak’ That Identifies AI Chat Topics in Encrypted Traffic — Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections. “Cyber attackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyber attack to infer if the user’s prompt is on a specific topic,” the company said. The attack has been codenamed Whisper Leak. In a proof-of-concept (PoC) test, researchers found that it’s possible to glean conversation topics from Alibaba, DeepSeek, Mistral, Microsoft, OpenAI, and xAI models with a success rate of over 98%. In response, OpenAI, Mistral, Microsoft, and xAI have deployed mitigations to counter the risk.
• Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware — A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in precision attacks in Iraq, Iran, Turkey, and Morocco. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the “libimagecodec.quram.so” component that could allow remote attackers to execute arbitrary code, according to Palo Alto Networks Unit 42. The issue was addressed by Samsung in April 2025. LANDFALL, once installed and executed, acts as a comprehensive spy tool, capable of harvesting sensitive data, including microphone recording, location, photos, contacts, SMS, files, and call logs. While Unit 42 said the exploit chain may have involved the use of a zero-click approach to trigger the exploitation of CVE-2025-21042 without requiring any user interaction, there are currently no indications that it has happened or that there exists an unknown security issue in WhatsApp to support this hypothesis. The Android spyware is specifically designed to target Samsung’s Galaxy S22, S23, and S24 series devices, along with Z Fold 4 and Z Flip 4. There are no conclusive clues yet on who is involved, nor is it clear how many people were targeted or exploited.
• Hidden Logic Bombs in Malicious NuGet Packages Go Off Years After Deployment — A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. The packages were published in 2023 and 2024 by a user named “shanhai666” and are designed to run malicious code after specific trigger dates in August 2027 and November 2028, with the exception of one library, which claims to extend the functionality of another legitimate NuGet package called Sharp7. Sharp7Extend, as it’s called, is set to activate its malicious logic immediately following installation and continues until June 6, 2028, when the termination mechanism stops by itself.
• Flaws in Microsoft Teams Expose Users to Impersonation Risks — A set of four now-patched security vulnerabilities in Microsoft Teams could have exposed users to serious impersonation and social engineering attacks. The vulnerabilities “allowed attackers to manipulate conversations, impersonate colleagues, and exploit notifications,” according to Check Point. These shortcomings make it possible to alter message content without leaving the “Edited” label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives. The flaws also granted the ability to change the display names in private chat conversations by modifying the conversation topic, as well as arbitrarily modify display names used in call notifications and during the call, permitting an attacker to forge caller identities in the process. The issues have since been addressed by Microsoft.
• Three High-Profile Groups Come Together — Scattered LAPSUS$ Hunters (SLH), a merger formed between Scattered Spider, LAPSUS$, and ShinyHunters, has cycled through no less than 16 Telegram channels since August 8, 2025. The group, which has advertised an extortion-as-a-service offering and is also testing “Sh1nySp1d3r” ransomware, has now been identified not just as a fluid collaboration but as a coordinated alliance blending the operational tactics of the three high-profile criminal clusters under a shared banner for extortion, recruitment, and audience control. The new group is deliberately bringing together the reputational capital associated with the brands to create a potent, unified threat identity. The effort is being seen as the first cohesive alliance inside The Com, a traditionally loose-knit network, leveraging the merger as a force multiplier for financially motivated attacks.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week’s list includes — CVE-2025-20354, CVE-2025-20358 (Cisco Unified CCX), CVE-2025-20343 (Cisco Identity Services Engine), CVE-2025-62626 (AMD), CVE-2025-5397 (Noo JobMonster theme), CVE-2025-48593, CVE-2025-48581 (Android), CVE-2025-11749 (AI Engine plugin), CVE-2025-12501 (GameMaker IDE), CVE-2025-23358 (NVIDIA App for Windows), CVE-2025-64458, CVE-2025-64459 (Django), CVE-2025-12058 (Keras AI), CVE-2025-12779 (Amazon WorkSpaces client for Linux), CVE-2025-12735 (JavaScript expr-eval), CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 (QNAP QTS and QuTS hero), CVE-2024-12886, CVE-2025-51471, CVE-2025-48889 (Ollama), CVE-2025-34299 (Monsta FTP), CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 (RunC), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2025-64439 (langgraph-checkpoint), CVE-2025-37735 (Elastic Defend on Windows), and seven vulnerabilities in django-allauth.

📰 Around the Cyber World

• RDP Accounts Breached to Drop Cephalus Ransomware — A new Go-based ransomware called Cephalus has been breaching organizations by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled since mid-June 2025. It’s currently not known if it operates under a ransomware-as-a-service (RaaS). “Upon execution, it disables Windows Defender’s real-time protection, deletes VSS backups, and stops key services such as Veeam and MSSQL to increase its encryption success rate and decrease the chances of recovery,” AhnLab said. “Cephalus uses a single AES-CTR key for encryption, and this key is managed to minimize exposure on the disk and in memory. Finally, the AES key is encrypted using an embedded RSA public key, ensuring that only threat actors with the corresponding RSA private key can decrypt the key. It disrupts dynamic analysis by generating a fake AES key.”
• WhatsApp to Roll Out Enhanced Protections for High-Risk Accounts — Users under a higher risk of being targeted by hacking attempts will soon have the option to enable an extra set of security features on WhatsApp, according to a beta version of the app analyzed by WABetaInfo. Similar to Apple’s Lockdown Mode, the feature blocks media and attachments from unknown senders, adds calling and messaging restrictions, and enables other settings, including silencing unknown callers, restricting automatic group invites to known contacts, disabling link previews, notifying users about encryption code changes, activating two-step verification, and limiting the visibility of personal information for unknown contacts.
• Aurologic Provides Hosting for Sanctioned Entities — German hosting provider aurologic GmbH has emerged as a “central nexus within the global malicious infrastructure ecosystem” providing upstream transit and data center services to a large concentration of high-risk hosting networks, including the Doppelgänger disinformation network and the recently sanctioned Aeza Group, along with Metaspinner net GmbH (AsyncRAT, njRAT, Quasar RAT), Femo IT Solutions Limited (CastleLoader and other malware), Global-Data System IT Corporation (Cobalt Strike, Sliver, Quasar RAT, Remcos RAT, and other malware), and Railnet. The company was established in October 2023. “Despite its core focus on legitimate network and data center operations, Aurologic has emerged as a hub for some of the most abusive and high-risk networks operating within the global hosting ecosystem,” Recorded Future said.
• Australia Sanctions North Korean Threat Actors — The Australian Government has imposed financial sanctions and travel bans on four entities and one individual — Park Jin Hyok, Kimsuky, Lazarus Group, Andariel, and Chosun Expo — for engaging in cybercrime to support and fund North Korea’s unlawful weapons of mass destruction and ballistic missile programs. “The scale of North Korea’s involvement in malicious cyber-enabled activities, including cryptocurrency theft, fraudulent IT work and espionage, is deeply concerning,” the Foreign Affairs ministry said.
• U.K. Takes Action on Spoofed Mobile Numbers — U.K. mobile carriers will upgrade their networks to “eliminate the ability for foreign call centres to spoof U.K. numbers.” The companies will mark when calls come from abroad to prevent scammers from impersonating U.K. phone numbers. The companies will also roll out “advanced call tracing technology” to allow law enforcement the tools to track down scammers operating across the country and dismantle their operations. “It will make it harder than ever for criminals to trick people through scam calls, using cutting-edge technology to expose fraudsters and bring them to justice,” the U.K. government said.
• Security Flaw in Advanced Installer — A vulnerability has been disclosed in Advanced Installer (version 22.7), a framework for building Windows installers. The bug can enable threat actors to hijack app update mechanisms and run malicious external code if update packages are not digitally signed. By default, and in common practice, they are not digitally signed, Cyderes said. According to its website, Advanced Installer is used by developers and system administrators in more than 60 countries “to package or repackage everything from small shareware products, internal applications, and device drivers, to massive mission-critical systems.” The security risk poses a major supply chain risk due to the popularity of Advanced Installer, opening the door for Bring Your Own Updates (BYOU), enabling attackers to hijack trusted updaters to execute arbitrary code, while bypassing security controls. “These attacks are especially dangerous because they exploit trust and scale: a single poisoned update from a widely used tool (for example, an installer or build tool like Advanced Installer) can silently distribute signed, trusted malware to countless global companies, causing broad data theft, operational outages, regulatory penalties, and severe reputational damage across many sectors,” security researcher Reegun Jayapaul said.
• Jailbreak Detection in Authenticator App — Microsoft said it will introduce Jailbreak/Root detection for Microsoft Entra credentials in the Authenticator app starting February 2026. “This update strengthens security by preventing Microsoft Entra credentials from functioning on jail-broken or rooted devices. All existing credentials on such devices will be wiped to protect your organization,” it said. The change applies to both Android and iOS devices.
• Bad Actors Exploit Flaws in RMM Software — Threat actors have been found exploiting known security vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to gain downstream access into customer environments and deploy Medusa and DragonForce ransomware. “By compromising third-party RMM servers running as SYSTEM, attackers achieved full control over victim networks, deploying discovery tools, disabling defences, exfiltrating data via RClone and Restic, and finally encrypting systems,” Zensec said.
• Cambodia Raids Scam Compounds in Bavet town — The Cambodian government raided two cyber scam compounds in the city of Bavet on November 4, 2025, taking more than 650 suspects, mostly foreign nationals, into custody. One scam compound specialized in impersonating government authorities to threaten victims, while the second site ran fake high-profit investment schemes, forged banking platforms, romance scams, fake marathon registrations, and the use of AI deepfake videos and images to forge identities.
• Samourai Wallet Co-Founder Sentenced to 5 Years in Prison — Keonne Rodriguez, the co-founder and CEO of cryptocurrency mixing service Samourai Wallet, was sentenced to five years in prison. Authorities shut down the Samourai Wallet website in April 2024. The service was used to launder more than $237 million in cryptocurrency linked to hacks, online fraud, and drug trafficking. Samourai Wallet CTO William Lonergan Hill is expected to be sentenced later this month. Both individuals pleaded guilty to money laundering charges back in August.
• Russian Man Pleads Guilty for Yanluowang Attacks — A 25-year-old Russian national, Aleksei Olegovich Volkov, has pleaded guilty to hacking U.S. companies and selling access to ransomware groups. Volkov went online under the hacker name of chubaka.kor, and worked as an initial access broker (IAB) for the Yanluowang ransomware by exploiting security flaws between July 2021 and November 2022. As many as seven U.S. businesses were attacked during that period, out of which an engineering firm and a bank paid a combined $1.5 million in ransoms. Volkov was arrested on January 18, 2024, in Rome and was later extradited to the U.S. to face charges.
• Malicious AI Bots Impersonate Legitimate Agents — Threat actors have been found to develop and deploy bots that impersonate legitimate AI agents from providers like Google, OpenAI, Grok, and Anthropic. “Malicious actors can exploit updated bot policies by spoofing AI agent identities to bypass detection systems, potentially executing large-scale account takeover (ATO) and financial fraud attacks,” Radware said. “Attackers need only spoof ChatGPT’s user agent and use residential proxies or IP spoofing techniques to be classified as a “good AI bot” with POST permissions.”
• Fake Installers Mimic Productivity Tools in Ongoing Campaigns — Information stealer campaigns are leveraging malicious installers impersonating legitimate productivity tools with backdoor capability, which are likely created using EvilAI to distribute malware known as TamperedChef/BaoLoader. “The backdoor is also capable of extracting DPAPI secrets and provides full command-and-control functionality, including arbitrary command execution, file upload and download, and data exfiltration,” CyberProof said. “In most observed cases, the malware proceeds with the deployment of second-stage binaries and establishes additional persistence mechanisms, such as ASEP registry run keys and .LNK startup files.”

🎥 Cybersecurity Webinars

• Learn How Top Experts Secure Multi-Cloud Workloads Without Slowing Innovation — Join this expert-led session to learn how to protect your cloud workloads without slowing innovation. You’ll discover simple, proven ways to control identities, meet global compliance rules, and reduce risk across multi-cloud environments. Whether you work in tech, finance, or operations, you’ll leave with clear, practical steps to strengthen security and keep your business agile, compliant, and ready for what’s next.
• Guardrails, Not Guesswork: How Mature IT Teams Secure Their Patch Pipelines — Join this session to learn how to patch faster without losing security. You’ll see real examples of how community repositories like Chocolatey and Winget can expose your network if not managed safely — and get clear, practical guardrails to avoid it. Gene Moody, Field CTO at Action1, will show you exactly when to trust community repos, when to go vendor-direct, and how to balance speed with safety so your patching stays fast, reliable, and secure.
• Discover How Leading Enterprises Are Cutting Exposure Time in Half with DASR — Join this live session to discover how Dynamic Attack Surface Reduction (DASR) helps you cut through endless vulnerability lists and actually stop attacks before they happen. You’ll see how smart automation and context-driven decisions can shrink your attack surface, close hidden entry points, and free your team from alert fatigue. Walk away with a clear plan to reduce exposures faster, strengthen defenses, and stay one step ahead of hackers—without adding extra work.

🔧 Cybersecurity Tools

• FuzzForge is an open-source tool that helps security engineers and researchers automate application and offensive security testing using AI and fuzzing. It lets you run vulnerability scans, manage workflows, and use AI agents to analyze code, find bugs, and test for weaknesses across different platforms. It’s built to make cloud and AppSec testing faster, smarter, and easier to scale for individuals and teams.
• Butler is a tool that scans all repositories in a GitHub organization to find and review workflows, actions, secrets, and third-party dependencies. It helps security teams understand what runs in their GitHub environment and produces easy-to-read HTML and CSV reports for audits, compliance checks, and workflow management.
• Find-WSUS is a PowerShell tool that helps security teams and system admins find every WSUS server defined in Group Policy. It checks both normal policy settings and hidden Group Policy Preferences that don’t show up in standard reports. This matters because a compromised WSUS server can push fake updates and take control of all domain computers. Using Find-WSUS ensures you know exactly where your update servers are configured—before attackers do.

Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Stop Sensitive Data From Reaching AI Chats — Many teams use AI chat tools to get things done faster, like writing scripts, fixing bugs, or making reports shorter. But everything typed into these systems leaves your company network and may be stored, logged, or reused. If that data includes credentials, internal code, or client information, it becomes an easy leak point.

Attackers and insiders can retrieve this data later, or models could accidentally expose it in future outputs. One careless prompt can expose a lot more than expected.

✅ Add a security layer before the AI. Use OpenGuardrails or similar open-source frameworks to scan and block sensitive text before it’s sent to the model. These tools integrate directly into your apps or internal chat systems.

✅ Pair it with DLP monitoring. Tools like MyDLP or OpenDLP can watch outbound data for patterns like passwords, API keys, or client identifiers.

✅ Create prompt policies. Define what employees can and can’t share with AI systems. Treat prompts like data, leaving your network.

Don’t trust AI companies to keep your secrets safe. Add guardrails to your workflow and keep an eye on what leaves your space. You don’t want sensitive data to end up training someone else’s model.

Conclusion

Just reading headlines won’t cut it. These attacks show what’s coming next—more hidden, more focused, and harder to spot.

Whether you work in security or just want to stay in the loop, this update breaks it down fast. Clear, useful, no extra noise. Take a few minutes and get caught up before the next big threat lands.

Nov 10, 2025Ravie LakshmananMalware / Threat Intelligence

Cybersecurity researchers have disclosed a new set of three extensions associated with the GlassWorm campaign, indicating continued attempts on part of threat actors to target the Visual Studio Code (VS Code) ecosystem.

The extensions in question, which are still available for download, are listed below –

GlassWorm, first documented by Koi Security late last month, refers to a campaign in which threat actors leverage VS Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace to harvest Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, and drop additional tools for remote access.

What makes the malware notable is that it uses invisible Unicode characters to hide malicious code in code editors and abuses the pilfered credentials to compromise additional extensions and further extend its reach, effectively creating a self-replication cycle that allows it to spread in a worm-like fashion.

In response to the findings, Open VSX said it identified and removed all malicious extensions, in addition to rotating or revoking associated tokens as of October 21, 2025. However, the latest report from Koi Security shows that the threat has resurfaced a second time, using the same invisible Unicode character obfuscation trick to bypass detection.

“The attacker has posted a fresh transaction to the Solana blockchain, providing an updated C2 [command-and-control] endpoint for downloading the next-stage payload,” security researchers Idan Dardikman, Yuval Ronen, and Lotan Sery said.

“This demonstrates the resilience of blockchain-based C2 infrastructure – even if payload servers are taken down, the attacker can post a new transaction for a fraction of a cent, and all infected machines automatically fetch the new location.”

The security vendor also revealed it identified an endpoint that’s said to have been inadvertently exposed on the attacker’s server, uncovering a partial list of victims spanning the U.S., South America, Europe, and Asia. This includes a major government entity from the Middle East.

Further analysis has uncovered keylogger information supposedly from the attacker’s own machine, which has yielded some clues as to GlassWorm’s provenance. The threat actor is assessed to be Russian-speaking and is said to use an open-source browser extension C2 framework named RedExt as part of their infrastructure.

“These are real organizations and real people whose credentials have been harvested, whose machines may be serving as criminal proxy infrastructure, whose internal networks may already be compromised,” Koi Security said.

The development comes shortly after Aikido Security published findings showing that GlassWorm has expanded its focus to target GitHub, indicating the stolen GitHub credentials are being used to push malicious commits to repositories.

Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT.

“The attacker’s modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments,” Sekoia said. “This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT.”

The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia, which are then either sold on cybercrime forums or used to send fraudulent emails to hotel customers to conduct fraud.

The activity is assessed to be active since at least April 2025 and operational as of early October 2025. It’s one of the several campaigns that has been observed targeting, including a set of attacks that was documented by Microsoft earlier this March.

In the latest wave analyzed by the French cybersecurity company, emails messages are sent from a compromised email account to target several hotels across multiple countries, tricking recipients into clicking on bogus links that triggers a redirection chain to a ClickFix page with a supposed reCAPTCHA challenge to “ensure the security of your connection.”

“Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe,” Sekoia explained. “The objective is to redirect the user to the same URL but over HTTP.”

This causes the victim to copy and execute a malicious PowerShell command that gathers system information and downloads a ZIP archive, which, in turn, contains a binary that ultimately sets up persistence and loads PureRAT (aka zgRAT) by means of DLL side-loading.

The modular malware supports a wide range of features, such as remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries. It’s also protected by .NET Reactor to complicate reverse engineering and also establishes persistence on the host by creating a Run registry key.

Unsuspecting users who end up clicking on the link are taken to a bogus landing page that mimics Booking.com or Expedia, but, in reality, is designed to steal their card information.

It’s assessed that the threat actors behind the scheme are procuring information about administrators of Booking.com establishments from criminal forums like LolzTeam, in some cases even offering a payment based on a percentage of the profit. The acquired details are then used to social engineer them into infecting their systems with an infostealer or remote access trojan (RAT). This task is selectively outsourced to traffers, who are dedicated specialists in charge of malware distribution.

“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry,” Sekoia said. “Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces.”

“Attackers trade these accounts as authentication cookies or login/password pairs extracted from infostealer logs, given that this harvested data typically originates from malware compromise on hotel administrators’ systems.”

The company said it observed a Telegram bot to buy Booking.com logs, as well as a threat actor named “moderator_booking” advertising a Booking log purchase service to obtain logs associated with Booking.com, Expedia, Airbnb, and Agoda. They claim the logs are manually checked within 24-48 hours.

This is typically accomplished by means of log checker tools, available for as low as $40 on cybercrime forums, that authenticate compromised accounts via proxies to ensure that the harvested credentials are still valid.

“The proliferation of cybercrime services supporting each step of the Booking.com attack chain reflects a professionalization of this fraud model,” Sekoia said. “By adopting the ‘as-a-service’ model, cybercriminals lower entry barriers and maximise profits.”

The development comes as Push Security detailed an update to the ClickFix social engineering tactic that makes it even more convincing to users by including an embedded video, countdown timer, and a counter for “users verified in the last hour” along with the instructions to increase the perceived authenticity and trick the user into completing the check without thinking too much.

Another notable update is that the page is capable of adapting itself to display instructions that match the victim’s operating system, asking them to open the Windows Run dialog or the macOS Terminal app depending on the device they are visiting from. The pages are also increasingly equipped to automatically copy the malicious code to the user’s clipboard, a technique called clipboard hijacking.

“ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering,” Push Security said. “ClickFix payloads are becoming more varied and are finding new ways to evade security controls.”

Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections under certain circumstances.

This leakage of data exchanged between humans and streaming-mode language models could pose serious risks to the privacy of user and enterprise communications, the company noted. The attack has been codenamed Whisper Leak.

“Cyber attackers in a position to observe the encrypted traffic (for example, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same Wi-Fi router) could use this cyber attack to infer if the user’s prompt is on a specific topic,” security researchers Jonathan Bar Or and Geoff McDonald, along with the Microsoft Defender Security Research Team, said.

Put differently, the attack allows an attacker to observe encrypted TLS traffic between a user and LLM service, extract packet size and timing sequences, and use trained classifiers to infer whether the conversation topic matches a sensitive target category.

Model streaming in large language models (LLMs) is a technique that allows for incremental data reception as the model generates responses, instead of having to wait for the entire output to be computed. It’s a critical feedback mechanism as certain responses can take time, depending on the complexity of the prompt or task.

The latest technique demonstrated by Microsoft is significant, not least because it works despite the fact that the communications with artificial intelligence (AI) chatbots are encrypted with HTTPS, which ensures that the contents of the exchange stay secure and cannot be tampered with.

Many a side-channel attack has been devised against LLMs in recent years, including the ability to infer the length of individual plaintext tokens from the size of encrypted packets in streaming model responses or by exploiting timing differences caused by caching LLM inferences to execute input theft (aka InputSnatch).

To test this hypothesis, the Windows maker said it trained a binary classifier as a proof-of-concept that’s capable of differentiating between a specific topic prompt and the rest (i.e., noise) using three different machine learning models: LightGBM, Bi-LSTM, and BERT.

The result is that many models from Mistral, xAI, DeepSeek, and OpenAI have been found to achieve scores above 98%, thereby making it possible for an attacker monitoring random conversations with the chatbots to reliably flag that specific topic.

“If a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics – whether that’s money laundering, political dissent, or other monitored subjects – even though all the traffic is encrypted,” Microsoft said.

Whisper Leak attack pipeline

To make matters worse, the researchers found that the effectiveness of Whisper Leak can improve as the attacker collects more training samples over time, turning it into a practical threat. Following responsible disclosure, OpenAI, Mistral, Microsoft, and xAI have all deployed mitigations to counter the risk.

“Combined with more sophisticated attack models and the richer patterns available in multi-turn conversations or multiple conversations from the same user, this means a cyberattacker with patience and resources could achieve higher success rates than our initial results suggest,” it added.

One effective countermeasure devised by OpenAI, Microsoft, and Mistral involves adding a “random sequence of text of variable length” to each response, which, in turn, masks the length of each token to render the side-channel moot.

Microsoft is also recommending that users concerned about their privacy when talking to AI providers can avoid discussing highly sensitive topics when using untrusted networks, utilize a VPN for an extra layer of protection, use non-streaming models of LLMs, and switch to providers that have implemented mitigations.

The disclosure comes as a new evaluation of eight open-weight LLMs from Alibaba (Qwen3-32B), DeepSeek (v3.1), Google (Gemma 3-1B-IT), Meta (Llama 3.3-70B-Instruct), Microsoft (Phi-4), Mistral (Large-2 aka Large-Instruct-2047), OpenAI (GPT-OSS-20b), and Zhipu AI (GLM 4.5-Air) has found them to be highly susceptible to adversarial manipulation, specifically when it comes to multi-turn attacks.

Comparative vulnerability analysis showing attack success rates across tested models for both single-turn and multi-turn scenarios

“These results underscore a systemic inability of current open-weight models to maintain safety guardrails across extended interactions,” Cisco AI Defense researchers Amy Chang, Nicholas Conley, Harish Santhanalakshmi Ganesan, and Adam Swanda said in an accompanying paper.

“We assess that alignment strategies and lab priorities significantly influence resilience: capability-focused models such as Llama 3.3 and Qwen 3 demonstrate higher multi-turn susceptibility, whereas safety-oriented designs such as Google Gemma 3 exhibit more balanced performance.”

These discoveries show that organizations adopting open-source models can face operational risks in the absence of additional security guardrails, adding to a growing body of research exposing fundamental security weaknesses in LLMs and AI chatbots ever since OpenAI ChatGPT’s public debut in November 2022.

This makes it crucial that developers enforce adequate security controls when integrating such capabilities into their workflows, fine-tune open-weight models to be more robust to jailbreaks and other attacks, conduct periodic AI red-teaming assessments, and implement strict system prompts that are aligned with defined use cases.