Category: Cybersecurity

Sep 30, 2025The Hacker NewsArtificial Intelligence / Threat Detection

The Problem: Legacy SOCs and Endless Alert Noise

Every SOC leader knows the feeling: hundreds of alerts pouring in, dashboards lighting up like a slot machine, analysts scrambling to keep pace. The harder they try to scale people or buy new tools, the faster the chaos multiplies. The problem is not just volume; it is the model itself. Traditional SOCs start with rules, wait for alerts to fire, and then dump raw signals on analysts. By the time someone pieces together what is really happening, the attacker has already moved on, or moved in. It is a broken loop of noise chasing noise.

Flipping the Model: Context Over Chaos

Instead of drowning in raw events, treat every incoming signal as a potential opening move in a bigger story. Logs from identity systems, endpoints, cloud workloads, and SIEMs do not just land in separate dashboards; they are normalized, connected, and enriched to form a coherent investigation. A brute-force login attempt on its own is easy to dismiss. But when enhanced with user history, IP reputation, and signs of lateral movement, it is no longer background noise. It becomes the first chapter of an unfolding breach.

Context is the difference between ignoring another failed login and stopping an attack in motion.

Enabling Analysts with Story-Driven Workflows

The goal is not to hand analysts a bigger stack of alerts, it is to give them a story that already has shape and meaning. When analysts open a case, they see how the activity fits together, what actors are involved, and what paths the threat has already taken. Instead of starting from scratch with scattered evidence, they begin with a clear picture that guides their judgment. That shift changes the nature of the job itself.

Human-Centric AI That Enhances, Not Replaces

This is not about replacing humans with AI. It is about giving humans the space to actually do security. When technology handles the grind of collecting, correlating, and enriching signals, analysts can focus on what they do best: interpreting meaning, thinking creatively, and applying institutional knowledge.

• Junior analysts can develop investigative reasoning by studying complete cases instead of clicking through endless queues,
• Mid-level analysts gain time to hunt and test new hypotheses
• Senior analysts focus on attacker behavior and strategy, shaping how defenses evolve.

The work stops feeling like endless triage and starts feeling like security again.

Measurable Results: Faster MTTR, Fewer False Positives

The results are measurable and dramatic. False positives drop sharply. Mean time to resolution shrinks from hours to minutes. Quality and accuracy shoot up. Teams finally have the capacity to investigate the subtle, low-level signals where attackers often make their first moves.

That is what happens when SOC teams stop chasing alerts and start building context.

Defining the Cognitive SOC

A SOC that thrives is not the one with the most dashboards or the biggest analyst headcount. It is the one that can learn and adapt, quickly turn signals into stories, make confident decisions, and act before chaos spirals. That is the promise of a “cognitive SOC.” Technology organizes the noise, and analysts deliver the answers.

Moving from Alert Chaos to Contextual Clarity

Conifers helps enterprises and MSSP security business leaders escape the tradeoff between effectiveness and efficiency with CognitiveSOC™, an AI SOC agent platform that scales investigations with intelligence and context. Instead of drowning analysts in noisy alerts or forcing MSSPs to sacrifice margins, Conifers blends agentic AI, advanced data science, and human oversight with an organization’s own institutional knowledge to automate end-to-end, multi-tier investigations with reasoning and intent. By mapping incidents to use cases and dynamically applying the right AI techniques, CognitiveSOC produces contextual, evidence-backed outputs that align with each organization’s risk profile and analyst preferences. This results in faster, higher-quality investigations and decision-making, reduced alert fatigue, and improved SOC outcomes at scale. More context, less chaos.

Visit Conifers.ai to request a demo and experience how CognitiveSOC transforms noisy alerts into contextual investigations that boost efficiency, protect margins, and strengthen security posture.

Sep 30, 2025Ravie LakshmananArtificial Intelligence / Threat Detection

Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake.

In addition, the tech giant said it’s also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol (MCP) server.

“With graph-based context, semantic access, and agentic orchestration, Sentinel gives defenders a single platform to ingest signals, correlate across domains, and empower AI agents built in Security Copilot, VS Code using GitHub Copilot, or other developer platforms,” Vasu Jakkal, corporate vice president at Microsoft Security, said in a post shared with The Hacker News.

Microsoft released Sentinel data lake in public preview earlier this July as a purpose-built, cloud-native tool to ingest, manage, and analyze security data to provide better visibility and advanced analytics.

With the data lake, the idea is to lay the foundation for an agentic defense by bringing data from diverse sources and enabling artificial intelligence (AI) models like Security Copilot to have the full context necessary to detect subtle patterns, correlate signals, and surface high-fidelity alerts.

The shift, Redmond added, allows security teams to uncover attacker behavior, retroactively hunt over historical data, and trigger detections automatically based on the latest tradecraft.

“Sentinel ingests signals, either structured or semi-structured, and builds a rich, contextual understanding of your digital
estate through vectorized security data and graph-based relationships,” Jakkal said.

“By integrating these insights with Defender and Purview, Sentinel brings graph-powered context to the tools security teams already use, helping defenders trace attack paths, understand impact, and prioritize response — all within familiar workflows.”

Microsoft further noted that Sentinel organizes and enriches security data so as to detect issues faster and better respond to events at scale, shifting cybersecurity from “reactive to predictive.”

In addition, the company said users can build Security Copilot agents in a Sentinel MCP server-enabled coding platform, such as VS Code, using GitHub Copilot, that are tailored to their organizational workflows.

The Windows maker has also emphasized the need for securing AI platforms and implementing guardrails to detect (cross-)prompt injection attacks, stating it intends to roll out new enhancements to Azure AI Foundry that incorporate more protection for AI agents against such risks.

Sep 30, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google’s Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft.

“They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user’s saved information and location data via the Gemini Browsing Tool,” Tenable security researcher Liv Matan said in a report shared with The Hacker News.

The vulnerabilities have been collectively codenamed the Gemini Trifecta by the cybersecurity company. They reside in three distinct components of the Gemini suite –

• A prompt injection flaw in Gemini Cloud Assist that could allow attackers to exploit cloud-based services and compromise cloud resources by taking advantage of the fact that the tool is capable of summarizing logs pulled directly from raw logs, enabling the threat actor to conceal a prompt within a User-Agent header as part of an HTTP request to a Cloud Function and other services like Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API, and Recommender API
• A search-injection flaw in the Gemini Search Personalization model that could allow attackers to inject prompts and control the AI chatbot’s behavior to leak a user’s saved information and location data by manipulating their Chrome search history using JavaScript and leveraging the model’s inability to differentiate between legitimate user queries and injected prompts from external sources
• An indirect prompt injection flaw in Gemini Browsing Tool that could allow attackers to exfiltrate a user’s saved information and location data to an external server by taking advantage of the internal call Gemini makes to summarize the content of a web page

Tenable said the vulnerability could have been abused to embed the user’s private data inside a request to a malicious server controlled by the attacker without the need for Gemini to render links or images.

“One impactful attack scenario would be an attacker who injects a prompt that instructs Gemini to query all public assets, or to query for IAM misconfigurations, and then creates a hyperlink that contains this sensitive data,” Matan said of the Cloud Assist flaw. “This should be possible since Gemini has the permission to query assets through the Cloud Asset API.”

Following responsible disclosure, Google has since stopped rendering hyperlinks in the responses for all log summarization responses, and has added more hardening measures to safeguard against prompt injections.

“The Gemini Trifecta shows that AI itself can be turned into the attack vehicle, not just the target. As organizations adopt AI, they cannot overlook security,” Matan said. “Protecting AI tools requires visibility into where they exist across the environment and strict enforcement of policies to maintain control.”

The development comes as agentic security platform CodeIntegrity detailed a new attack that abuses Notion’s AI agent for data exfiltration by hiding prompt instructions in a PDF file using white text on a white background that instructs the model to collect confidential data and then send it to the attackers.

“An agent with broad workspace access can chain tasks across documents, databases, and external connectors in ways RBAC never anticipated,” the company said. “This creates a vastly expanded threat surface where sensitive data or actions can be exfiltrated or misused through multi step, automated workflows.”

Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.

Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting “active senior trips.” Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K.

The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors.

Should prospective targets express willingness to participate in these events, they are subsequently approached via Facebook Messenger or WhatsApp, where they are asked to download an APK file from a fraudulent link (e.g., “download.seniorgroupapps[.]com”).

“The fake websites prompted visitors to install a so-called community application, claiming it would allow them to register for events, connect with members, and track scheduled activities,” ThreatFabric said in a report shared with The Hacker News.

Interestingly, the websites have also been found to contain placeholder links to download an iOS application, indicating that the attackers are looking to target both the mobile operating systems, distributing TestFlight apps for iOS and trick victims into downloading them.

Should the victim click on the button to download the Android application, it either leads to the direct deployment of the malware on their devices, or that of a dropper that’s built using an APK binding service dubbed Zombinder to bypass security restrictions on Android 13 and later.

Some of the Android apps that have been found distributing Datzbro are listed below –

• Senior Group (twzlibwr.rlrkvsdw.bcfwgozi)
• Lively Years (orgLivelyYears.browses646)
• ActiveSenior (com.forest481.security)
• DanceWave (inedpnok.kfxuvnie.mggfqzhl)
• 作业帮 (io.mobile.Itool）
• 麻豆传媒 (fsxhibqhbh.hlyzqkd.aois
• 麻豆传媒 (mobi.audio.aassistant)
• 谷歌浏览器 (tvmhnrvsp.zltixkpp.mdok)
• MT管理器 (varuhphk.vadneozj.tltldo)
• MT管理器 (spvojpr.bkkhxobj.twfwf)
• 大麦 (mnamrdrefa.edldylo.zish)
• MT管理器 (io.red.studio.tracker)

The malware, like other Android banking trojans, has a wide range of capabilities to record audio, capture photos, access files and photos, and conduct financial fraud through remote control, overlay attacks, and keylogging. It also relies on Android’s accessibility services to perform remote actions on the victim’s behalf.

A notable feature of Datzbro is the schematic remote control mode, which allows the malware to send information about all the elements displayed on the screen, their position, and content, so as to allow the operators to re-create the layout at their end and effectively commandeer the device.

The banking trojan can also serve as a semi-transparent black overlay with custom text so as to hide the malicious activity from a victim, as well as steal the device lock screen PIN and passwords associated with Alipay and WeChat. Furthermore, it scans accessibility event logs for package names related to banks or cryptocurrency wallets, and for text containing passwords, PINs, or other codes.

“Such a filter clearly shows the focus of the developers behind Datzbro, not only using its Spyware capabilities, but also turning it into a financial threat,” ThreatFabric said. “With the help of keylogging capabilities, Datzbro can successfully capture login credentials for mobile banking applications entered by unsuspecting victims.”

It’s believed that Datzbro is the work of a Chinese-speaking threat group, given the presence of Chinese debug and logging strings in the malware source code. The malicious apps have been found to be connected to a command-and-control (C2) backend that’s a Chinese-language desktop application, making it stand apart from other malware families that rely on web-based C2 panels.

ThreatFabric said a compiled version of the C2 app has been leaked to a public virus share, suggesting that the malware may have been leaked and is being distributed freely among cybercriminals.

“The discovery of Datzbro highlights the evolution of mobile threats targeting unsuspecting users through social engineering campaigns,” the company said. “By focusing on seniors, fraudsters exploit trust and community-oriented activities to lure victims into installing malware. What begins as a seemingly harmless event promotion on Facebook can escalate into device takeover, credential theft, and financial fraud.”

The disclosure comes as IBM X-Force detailed an AntiDot Android banking malware campaign codenamed PhantomCall that has targeted users of major financial institutions globally, spanning Spain, Italy, France, the U.S., Canada, the U.A.E., and India, using fake Google Chrome dropper apps that can get around Android 13’s controls that prevent sideloaded apps from exploiting accessibility APIs.

According to an analysis published by PRODAFT in June 2025, AntiDot is attributed to a financially motivated threat actor called LARVA-398 and is available to others under a Malware-as-a-Service (MaaS) model on underground forums.

The latest campaign is designed to make use of the CallScreeningService API to monitor incoming calls and selectively block them based on a dynamically generated list of phone numbers stored in the phone’s shared preferences, effectively allowing the attackers to prolong unauthorized access, complete fraudulent transactions, or delay detection.

“PhantomCall also enables attackers to initiate fraudulent activity by silently sending USSD codes to redirect calls, while abusing Android’s CallScreeningService to block legitimate incoming calls, effectively isolating victims and enabling impersonation,” security researcher Ruby Cohen said.

“These capabilities play a critical role in orchestrating high-impact financial fraud by cutting off victims from real communication channels and enabling attackers to act on their behalf without raising suspicion.”

A Chinese national has been convicted for her role in a fraudulent cryptocurrency scheme after law enforcement authorities in the U.K. confiscated £5.5 billion (about $7.39 billion) during a raid of her home in London.

The cryptocurrency seizure, amounting to 61,000 Bitcoin, is believed to be the single largest such effort in the world, the Metropolitan Police said.

Zhimin Qian (aka Yadi Zhang), 47, pleaded guilty at Southwark Crown Court on Monday to offenses related to acquiring and possessing criminal property (i.e., cryptocurrency). She is expected to be sentenced at a later date.

The Met Police said the seizure was the result of a probe launched in 2018 after it received a tip-off about the transfer of criminal assets, with the agency accusing Zhang of orchestrating a large-scale fraud in China between 2014 and 2017 that defrauded more than 128,000 victims. According to Sky News, Zhang was arrested in April 2024.

The scheme essentially duping victims, mostly between 50 and 75 years old, into investing their funds with false promises of daily dividends and guaranteed profits, after which the proceeds are converted into Bitcoin.

“She then fled China using false documents and entered the U.K., where in September 2018 she attempted to launder the proceeds via purchasing property, with the assistance of an assailant, Jian Wen,” the agency noted.

Wen was also jailed for six years and eight months last May for her role in the operation, which involved facilitating the movement of a cryptocurrency wallet that contained 150 Bitcoin, then valued at £1.7 million ($2.28 million). Earlier this January, Wen was ordered to pay back more than £3.1 million ($4.16 million) or face extra time in jail.

Operation Contender 3.0 Targets Romance Scams and Sextortion in 14 African Countries

The development comes as INTERPOL said authorities in 14 African countries arrested 260 suspects and seized 1,235 electronic devices as part of a coordinated international operation dubbed Contender 3.0 that took place between July 28 and August 11, 2025, to tackle cyber-enabled crime.

Countries that participated in the activity included Angola, Benin, Burkina Faso, Cote d’Ivoire, Gambia, Ghana, Guinea, Kenya, Nigeria, Rwanda, Senegal, South Africa, Uganda, and Zambia.

“The crackdown targeted transnational criminal networks exploiting digital platforms, particularly social media, to manipulate victims and defraud them financially,” it said. “Specifically, the operation focused on romance scams, where perpetrators build online relationships to extract money from victims, and sextortion, in which victims are blackmailed with explicit images or videos.”

The illicit activities have claimed 1,463 victims, resulting in losses of $2.8 million. The arrests were carried out in Ghana, Senegal, Cote d’Ivoire, and Angola. The suspects were found to use fake profiles, forged identities, and stolen images to deceive victims and pull off the scams and, in some cases, trick individuals into sharing intimate images.

Alongside the arrests, USB drives, SIM cards, and forged documents used by the suspects to support their criminal activities were seized by officials. It also resulted in the dismantling of 81 cybercrime infrastructures across the continent.

Group-IB, which was one of the private sector entities to support the operation along with Trend Micro, said it provided intelligence on the perpetrators who targeted and interacted with victims of romance scams and digital sextortion. It also said it shared details regarding the payment data used by these criminals in their extortion attempts.

“Cybercrime units across Africa are reporting a sharp rise in digital-enabled crimes such as sextortion and romance scams,” Cyril Gout, acting executive director of Police Services at INTERPOL, said. “The growth of online platforms has opened new opportunities for criminal networks to exploit victims, causing both financial loss and psychological harm.”

Sep 30, 2025The Hacker NewsArtificial Intelligence / Data Protection

The world of enterprise technology is undergoing a dramatic shift. Gen-AI adoption is accelerating at an unprecedented pace, and SaaS vendors are embedding powerful LLMs directly into their platforms. Organizations are embracing AI-powered applications across every function, from marketing and development to finance and HR. This transformation unlocks innovation and efficiency, but it also introduces new risks. Enterprises must balance the promise of AI with the responsibility to protect their data, maintain compliance, and secure their expanding application supply chain.

The New Risk Landscape

With AI adoption comes a new set of challenges:

• AI Sprawl: Employees adopt AI tools independently, often without security oversight, creating blind spots and unmanaged risks.
• Supply Chain Vulnerabilities: interapplication integrations between AI tools and enterprise resources expand the attack surface and introduce dependencies and access paths enterprises can’t easily control.
• Data Exposure Risks: Sensitive information is increasingly shared with external AI services, raising concerns about leakage, misuse, or unintentional data retention.

This evolving risk landscape makes clear that AI security requires more than traditional defenses.

AI Demands a New Security Paradigm

AI is transforming the enterprise landscape at an unprecedented pace, bringing both opportunity and risk. As organizations adopt AI-powered applications across departments, the uncontrolled spread of these tools creates blind spots, increases supply chain vulnerabilities, and raises the likelihood of data exposure. Traditional defenses were not designed to handle the speed, scale, and complexity of this new reality, leaving enterprises exposed. To address these challenges, a new security paradigm is essential, one grounded in continuous discovery, real-time monitoring, adaptive risk assessment, and governance. This approach provides the visibility needed to understand AI usage, the controls to mitigate risk, and the resilience to secure the entire AI application supply chain in today’s fast-changing enterprise environment.

Securing the AI supply chain with Wing Security

Wing Security delivers the visibility and control needed to manage sprawl, mitigate threats, and secure the AI supply chain. By extending its proven SaaS Security Posture Management (SSPM) foundation to address the unique risks of AI adoption, its broad integrations and continuous discovery, Wing identifies every AI application in use across the enterprise. Advanced analytics over vendor data and audit logs provide real-time insights into application misuse, risks of data exposure, and which third-party dependencies expand the attack surface. Wing then applies adaptive risk assessments and governance controls to ensure safe, compliant usage. This approach enables enterprises to innovate confidently with AI while reducing exposure to supply chain attacks, breaches, and regulatory violations.

Seizing the benefits of AI without sacrificing control or security

Wing Security empowers organizations to capture AI’s full potential without compromising safety. With continuous discovery, Wing identifies both sanctioned and unsanctioned applications and AI tools, shining a light on hidden usage across the enterprise. Advanced analytics provide clear assessments of vendor security and data practices, while governance controls ensure responsible adoption. Real-time monitoring and adaptive risk management protect sensitive information, mitigate threats, and reduce exposure to breaches. By addressing the challenges of Shadow IT and Shadow AI head-on, Wing transforms security into a business enabler, giving enterprises visibility, control, and confidence to innovate at the speed of AI while staying secure and compliant.

For customers, this focus on AI security translates into real business value:

• Safe innovation: Employees can adopt AI tools with confidence.
• Reduced exposure: Lower risk of breaches, supply chain attacks, or accidental data leakage.
• Regulatory readiness: Stronger governance to meet compliance requirements.
• Enterprise trust: Strengthened relationships with customers, partners, and regulators.

With Wing, organizations gain complete visibility, actionable risk insights, and stronger governance over their AI supply chain. This transforms security from a blocker into an enabler, empowering enterprises to innovate at the pace of AI while staying secure, compliant, and in control.

Securing the Future Work Environment

The future of our work environment is being reshaped by the rapid adoption of AI-powered applications. While these tools unlock new levels of productivity and innovation, they also create blind spots, Shadow AI risks, and complex supply chain vulnerabilities. Wing Security empowers organizations to embrace this new reality with confidence, delivering complete visibility, real-time monitoring, adaptive risk assessment, and governance across the AI supply chain. By doing so, Wing Security enables enterprises to innovate safely, stay compliant, and build trust in the modern digital workplace.

Ready to see what’s hiding in your stack? See what Wing can show you.

Sep 30, 2025Ravie LakshmananVulnerability / Linux

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch back in July 2025.

“Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability,” CISA said. “This vulnerability could allow a local attacker to leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.”

It’s currently not known how the shortcoming is being exploited in real-world attacks, and who may be behind such efforts. Also added to the KEV catalog are four other flaws –

• CVE-2021-21311 – Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information. (Disclosed as exploited by Google Mandiant in May 2022 by a threat actor called UNC2903 to target AWS IMDS setups)
• CVE-2025-20352 – Cisco IOS and IOS XE contain a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. (Disclosed as exploited by Cisco last week)
• CVE-2025-10035 – Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability that allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. (Disclosed as exploited by watchTowr Labs last week)
• CVE-2025-59689 – Libraesva Email Security Gateway (ESG) contains a command injection vulnerability that allows command injection via a compressed email attachment. (Disclosed as exploited by Libraesva last week)

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies relying on the affected products are advised to apply the necessary mitigations by October 20, 2025, to secure their networks.

Threat actors have been observed using seemingly legitimate artificial intelligence (AI) tools and software to sneakily slip malware for future attacks on organizations worldwide.

According to Trend Micro, the campaign is using productivity or AI-enhanced tools to deliver malware targeting various regions, including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region.

Manufacturing, government, healthcare, technology, and retail are some of the top sectors affected by the attacks, with India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada emerging as the regions with the most infections, indicating a global spread.

“This swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild,” security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro Tsang, Armando Nathaniel Pedragoza, Melvin Singwa, Mohammed Malubay, and Marco Dela Vega said.

The campaign has been codenamed EvilAI by Trend Micro, describing the attackers behind the operation as “highly capable” owing to their ability to blur the line between authentic and deceptive software for malware distribution and their ability to conceal its malicious features in otherwise functional applications.

Some of the programs distributed using the method include AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef. Some aspects of the campaign were documented in detail by Expel, G DATA, and TRUESEC last month.

What’s significant about the campaign is the lengths to which the attackers have gone to make these apps appear authentic and ultimately carry out a slew of nefarious activities in the background once installed, without raising any red flags. The deception is further enhanced by the use of signing certificates from disposable companies, as older signatures are revoked.

“Rather than relying on obviously malicious files, these trojans mimic the appearance of real software to go unnoticed into both corporate and personal environments, often gaining persistent access before raising any suspicion,” the company said. “This dual-purpose approach ensures the user’s expectations are met, further lowering the chance of suspicion or investigation.”

Further analysis by G GATA has also determined that the threat actors behind OneStart, ManualFinder, and AppSuite are the same and that the server infrastructure is shared for distributing and configuring all these programs.

“They have been peddling malware disguised as games, print recipe, recipe finder, manual finder, and lately, adding the buzzword ‘AI’ to lure users,” security researcher Banu Ramakrishnan said.

Expel said the developers behind AppSuite and PDF Editor campaigns have used at least 26 code-signing certificates issued for companies in Panama and Malaysia, among others, over the last seven years to make their software appear legitimate.

The cybersecurity company is tracking the malware signed using these certificates under the name BaoLoader, adding it’s different from TamperedChef, citing differences in the behavioral differences and the certificate patterns.

It’s worth noting that the name TamperedChef was first attributed to a malicious recipe application that’s configured to set up a stealthy communication channel with a remote server and receive commands that facilitate data theft.

“TamperedChef used code-signing certificates issued to companies in Ukraine and Great Britain while BaoLoader consistently used certificates from Panama and Malaysia,” the company pointed out.

And that’s not all. Field Effect and GuidePoint Security have since uncovered more digitally signed binaries that masquerade as calendar and image viewer tools, and make use of the NeutralinoJS desktop framework to execute arbitrary JavaScript code and siphon sensitive data.

“The use of NeutralinoJS to execute JavaScript payloads and interact with native system APIs enabled covert file system access, process spawning, and network communication,” Field Effect said. “The malware’s use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching.”

The Canadian cybersecurity company said the presence of several code-signing publishers across multiple samples suggests either a shared malware-as-a-service provider or a code-signing marketplace that facilitates broad distribution.

“The TamperedChef campaign illustrates how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques,” it said. “These tactics allow malware to masquerade as legitimate software, bypass endpoint defenses, and exploit user trust.”

Sep 29, 2025Ravie LakshmananCybersecurity / Hacking News

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway.

From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week’s roundup gives you the biggest security moves to know. Whether you’re protecting key systems or locking down cloud apps, these are the updates you need before making your next security decision.

Take a quick look to start your week informed and one step ahead.

⚡ Threat of the Week

Cisco 0-Day Flaws Under Attack — Cybersecurity agencies warned that threat actors have exploited two security flaws affecting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection. The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor, which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).

• Nimbus Manticore Uses MiniJunk in Critical Infra Attacks — An Iran-linked cyber-espionage group has expanded its operations beyond its traditional Middle Eastern hunting grounds to target critical infrastructure organizations across Western Europe using constantly improving malware variants and attack tactics. Nimbus Manticore, which overlaps with UNC1549 or Smoke Sandstorm, has been observed targeting defense manufacturing, telecommunications, and aviation companies in Denmark, Portugal, and Sweden. Central to the campaign are MiniJunk, an obfuscated backdoor that gives the attacker persistent access to infected systems, and MiniBrowse, a lightweight stealer with separate versions for stealing credentials from Chrome and Edge browsers. MiniJunk is an updated version of MINIBIKE (aka SlugResin), with the emails directing victims to fake job-related login pages that appear to be associated with companies like Airbus, Boeing, Flydubai, and Rheinmetall. In a further escalation of its tactics, Nimbus Manticore has been observed using the service SSL.com starting around May 2025 to sign their code and pass off malware as legitimate software programs, leading to a “drastic decrease in detections.”
• ShadowV2 Targets Docker for DDoS Attacks — A novel ShadowV2 bot campaign is turning distributed denial-of-service (DDoS) attacks into a full-blown for-hire business by targeting misconfigured Docker containers on AWS. Instead of relying on prebuilt malicious images, the attackers build containers on the victim’s machine itself to launch a Go-based RAT that can launch DDoS attacks. The exact rationale of the approach is unclear, though Darktrace researchers suggest it may have been a way to reduce forensic traces from importing a malicious container. Once installed, the malware sends a heartbeat signal to the C2 server every second, while also polling for new attack commands every five seconds.
• Cloudflare Mitigates Largest DDoS Attack on Record — Web performance and security company Cloudflare said its systems blocked a record-breaking distributed denial-of-service (DDoS) attack that peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), and lasted only 40 seconds. The attack was aimed at a single IP address of an unnamed European network infrastructure company. It’s believed that the attack may be powered by the AISURU botnet.
• Vane Viper Linked to Malicious Campaigns Distributing Malware — A high-volume cybercrime operation known as Vane Viper that’s been active for more than a decade is supported by a commercial digital advertising platform with a checkered past. Vane Viper takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting Web users to destinations such as exploit kits, malware, and sketchy websites. The findings suggest that Vane Viper is not acting as an unwitting intermediary but is a complicit enabler and active participant in malicious operations. It also shares parallels with VexTrio Viper in that both emerged from Eastern Europe around 2015 and are controlled by the Russian diaspora in Europe and Cyprus. “URL Solutions, Webzilla, and AdTech Holding form a closely connected trio of firms: domains registered en masse via a registrar steeped in cybercrime, hosted on infrastructure operated by a company that’s hosted everything from Methbot to state-sponsored disinformation, and payloads delivered via an ad network long implicated in malvertising,” Infoblox said. “Not only has PropellerAds turned a ‘blind eye’ to criminal abuse of their platform, but indicators […] suggest – with moderate-to-high confidence – that several ad-fraud campaigns originated from infrastructure attributed to PropellerAds.”
• 2 New Supermicro BMC Bugs Allow Implanting Malicious Firmware — Servers running on motherboards sold by Supermicro contain medium-severity vulnerabilities that can allow hackers to remotely install malicious firmware that runs even before the operating system, providing unprecedented persistence. That said, the caveat is that the threat actor needs to have administrative access to the BMC control interface to perform the update, or distribute them as part of a supply chain attack by compromising the servers used to host firmware updates and replacing the original images with malicious ones, all while keeping the signature valid. Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities, adding that it’s currently testing and validating affected products. The current status of the update is unknown.

‎️‍🔥 Trending CVEs

Hackers don’t wait. They exploit newly disclosed vulnerabilities within hours, transforming a missed patch or a hidden bug into a critical point of failure. One unpatched CVE is all it takes to open the door to a full-scale compromise. Below are this week’s most critical vulnerabilities, making waves across the industry. Review the list, prioritize patching, and close the window of opportunity before attackers do.

This week’s list includes — CVE-2025-20362, CVE-2025-20333, CVE-2025-20363 (Cisco), CVE-2025-59689 (Libraesva ESG), CVE-2025-20352 (Cisco IOS), CVE-2025-10643, CVE-2025-10644 (Wondershare RepairIt), CVE-2025-7937, CVE-2025-6198 (Supermicro BMC), CVE-2025-9844 (Salesforce CLI), CVE-2025-9125 (Lectora Desktop), CVE-2025-23298 (NVIDIA Merlin), CVE-2025-59545 (DotNetNuke), CVE-2025-34508 (ZendTo), CVE-2025-27888 (Apache Druid Proxy), CVE-2025-10858, CVE-2025-8014 (GitLab), and CVE-2025-54831 (Apache Airflow).

📰 Around the Cyber World

• Microsoft Offers ESU for Free in the E.U. — Microsoft has decided to offer free extended security updates for Windows 10 users in the European Economic Area (EEA), following pressure from the Euroconsumers group. “We are pleased to learn that Microsoft will provide a no-cost Extended Security Updates (ESU) option for Windows 10 consumer users in the European Economic Area (EEA),” Euroconsumers said. In other regions, users will need to either enable Windows Backup or pay $30 for the year or redeem 1,000 Microsoft Reward points. It’s worth noting that Windows 10 reached end of support (EoS) on October 14, 2025.
• Olymp Loader Spotted in the Wild — A new malware loader called Olymp Loader has been spotted in the wild, being propagated via GitHub repositories, or through tools disguised as popular software such as PuTTY, OpenSSL, Zoom, and even a Counter Strike mod called Classic Offensive. Written in assembly language, the malware-as-a-service (MaaS) solution provides built-in stealer modules, including a custom version of BrowserSnatch that’s available on GitHub. Campaigns using Olymp have been found to deliver an array of information stealers and remote access trojans like Lumma, Raccoon, WebRAT (aka SalatStealer), and Quasar RAT. The tool was first advertised by a seller named OLYMPO in HackForums on June 5, 2025, as a botnet, before evolving into a loader and a crypter. “The malware seller has published a roadmap that treats Olymp as a bundle comprising Olymp Botnet, Olymp Loader, Olymp Crypter, an install service, and a file‑scanning tool for antivirus testing,” Outpost24 said. “It remains to be seen whether OLYMPO can sustain and support a broader malware product suite over time.” Regardless, the emergence of yet another bundled crimeware stack can further lower the entry barrier for less experienced threat actors, allowing them to mount widespread campaigns at scale within a short amount of time.
• Malicious Facebook Ads Lead to JSCEAL Malware — Cybersecurity researchers have disclosed an ongoing campaign that’s using bogus ads on Facebook and Google to distribute premium versions of trading platforms like TradingView for free. According to Bitdefender, the activity has also expanded to YouTube, where sponsored ads on the platform are being used to direct users to malware-laced downloads that steal credentials and compromise accounts. These ads are posted via legitimate-but-compromised verified YouTube accounts to serve the ads. The attackers take pains to ensure that the hijacked channels mimic the official TradingView channel by reusing the latter’s branding and playlists to build credibility. An unlisted video uploaded by the rebranded channel, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” is estimated to have racked up more than 182,000 views through aggressive advertising. “The unlisted status is deliberate, of course. By not being publicly searchable, these malicious videos avoid casual reporting and platform moderation,” Bitdefender said. “Instead, they are shown exclusively through ad placements, ensuring they reach their targets while remaining hidden from public view.” The attacks ultimately led to the deployment of malware known as JSCEAL (aka WEEVILPROXY) to steal sensitive data.
• LockBit 5.0 Analyzed — The threat actors behind the LockBit ransomware have released a “significantly more dangerous” version, LockBit 5.0, on its sixth anniversary, with advanced obfuscation and anti-analysis techniques, while being capable of targeting Windows, Linux, and ESXi systems. “The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation,” Trend Micro said. “The preservation of core functionalities while adding new evasion techniques demonstrates the group’s strategy of incremental improvement to their ransomware platform.” LockBit may not be the most prolific ransomware group it once was ever since its infrastructure was disrupted in a law enforcement operation early last year, but the findings show that it continues to be as aggressive as ever when it comes to refining and retooling its tactics. “The Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security services,” the company said. “Meanwhile, the newly discovered Linux variant maintains similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization environments, designed to encrypt entire virtual machine infrastructures in a single attack.”
• Microsoft Blocks Access to Services Used by Israeli Military Unit — Microsoft has revealed that it “ceased and disabled” a set of services to Unit 8200 within the Israel Ministry of Defense (IMOD) that were used to enable mass surveillance of civilians in Gaza and the West Bank. It said it found evidence “relating to IMOD consumption of Azure storage capacity in the Netherlands and the use of AI services.” The secretive contract came to light last month following a report by The Guardian, along with +972 Magazine and Local Call, that revealed how Microsoft’s Azure service was being used to store and process millions of Palestinian civilian phone calls made each day in Gaza and the West Bank. The newspaper reported that the trove of intercepted calls amounted to 8,000 terabytes of data and was held in a Microsoft data center in the Netherlands. The collected data has been moved out of the country and is being planned to be transferred to the Amazon Web Services cloud platform.
• Ransomware Groups Use Stolen AWS Keys to Breach Cloud — Ransomware gangs are using Amazon Web Services (AWS) keys stored in local environments, such as Veeam backup servers, to pivot to a victim’s AWS account and steal data with the help of the Pacu AWS exploitation framework, turning what started as an on-premise event into a cloud compromise. “Threat actors are becoming increasingly adept at exploiting cloud environments — leveraging compromised AWS keys, targeting backup servers, and using advanced attack frameworks to evade detection,” Varonis said.
• Meta Unveils Ad-Free Option in the U.K. — Meta has launched an ad-free experience for Facebook and Instagram in the U.K., allowing users to pay £2.99 a month to access the platforms without ads on the web, and £3.99 a month for Android and iOS. “We will notify UK users over the age of 18 that they have the choice to subscribe to Facebook and Instagram for a fee to use these services without seeing ads,” the company said. “A reduced, additional fee of £2/month on the web or £3/month on iOS and Android will automatically apply for each additional account listed in a user’s Account Center.” Meta has significant hurdles in rolling out the scheme in the E.U., causing it to walk back its ad model, offering users the choice to receive “less personalized ads” that are full-screen and temporarily unskippable. Earlier this May, the European Commission said the model does not comply with the Digital Markets Act (DMA) and fined Meta €200 million. In response, the company said it would need to make modifications to the model that “could result in a materially worse user experience for European users and a significant impact.” In a report published in July 2025, privacy non-profit noyb said: “‘Pay or Okay’ has spread throughout the E.U. in recent years and can now be found on hundreds of websites. However, data protection authorities still haven’t adopted a consistent E.U.-wide approach to deal with these systems. They should have agreed on this long ago.”
• Dutch Teen Duo Arrested Over Alleged ‘Wi-Fi Sniffing’ for Russia — Two teenagers have been arrested in the Netherlands on suspicion of espionage, reportedly on behalf of Russian intelligence agencies. The boys, both aged 17, were arrested on Monday. One has been remanded in custody while the other has been released on home bail. The arrests are related to laws regarding state-sponsored interference, but additional details have been withheld due to the age of the suspects and the ongoing investigation. The teens are alleged to have been tasked with carrying a “Wi-Fi sniffer” along a route past buildings in The Hague, including the headquarters of Europol and Eurojust, as well as several embassies.
• Akira Ransomware Breaching MFA-Protected SonicWall VPN Accounts — Cybersecurity researchers have warned about an “aggressive” Akira ransomware campaign targeting SonicWall VPNs to rapidly deploy the locker as part of an attack wave that began on July 21, 2025. “In almost all intrusions, ransomware encryption took place in under four hours from initial access, with a staging interval as short as 55 minutes in some instances,” Arctic Wolf said in a new report. Other commonly observed post-exploitation activities include internal network scanning, Impacket SMB activity tied to discovery, Active Directory discovery, and VPN client logins originating from Virtual Private Server (VPS) hosting providers. Targeting firewall and LDAP-synchronized, several intrusions have involved the threat actors leveraging the dedicated account used for Active Directory synchronization to log in via SSL VPN, despite not being intentionally configured for such access. In more than 50% of the analyzed intrusions, login attempts were observed against accounts with the One Time Password (OTP) feature enabled. “Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware,” the company noted. “Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.”
• Four People to Face Trial Over Greece Spyware Scandal — Four individuals, two Israeli and two Greek employees of spyware vendor Intellect, are expected to face trial in Greece over the use of the Predator surveillance tool by the ruling government in 2022 to eavesdrop on judges, senior military officers, journalists, and the opposition. But to date, no government officials have been charged in connection with the scandal.
• Phishing Emails Lead to DarkCloud Stealer — The information stealer known as DarkCloud is being distributed via phishing emails masquerading as financial correspondence that trick recipients into opening malicious ZIP archives. The stealer, besides adding new layers of encryption and evasion, targets web browser data, keystrokes, FTP credentials, clipboard contents, email clients, files, and cryptocurrency wallets. Stolen credentials/data are sent to attacker-controlled Telegram, FTP, SMTP, or Web Panel (PHP) endpoints. It’s marketed on Telegram by a user named @BluCoder and on the clearnet through the domain darkcloud.onlinewebshop[.]net. It’s advertised as the “best surveillance software for parents, spouses, and employers.” Cybersecurity company eSentire said: “DarkCloud is an information-stealing malware written in VB6 and is actively being updated to target a wide range of applications, including email clients, FTP clients, cryptocurrency wallets, web browsers and supports numerous other information-stealing capabilities like keystroke/clipboard harvesting, clipboard hijacking, and file collection.”
• Nupay Plugs “Configuration Gap” — Indian fintech company Nupay said it addressed a configuration gap after UpGuard flagged an unprotected Amazon S3 storage bucket containing more than 270,000 documents related to bank transfers of Indian customers. The exposed information included bank account numbers, transaction amounts, names, phone numbers, and email addresses. The data was linked to at least 38 different banks and financial institutions. It’s currently not known how long the data was left publicly accessible on the internet, although misconfigurations of this kind are not uncommon. Nupay told TechCrunch the bucket exposed a “limited set of test records with basic customer details,” and that a majority of the details were “dummy or test files.”
• Top AI Chatbots Provide Answers with False Claims — Some of the top AI chatbots’ tendency to repeat false claims on topics in the news increased nearly twice as much as they did last year, according to an audit by NewsGuard. The disinformation rates of the chatbots have almost doubled, going from 18% in August 2024 to 35% a year later, with the tools providing false claims to news prompts more than one-third of the time. “Instead of citing data cutoffs or refusing to weigh in on sensitive topics, the LLMs now pull from a polluted online information ecosystem — sometimes deliberately seeded by vast networks of malign actors, including Russian disinformation operations — and treat unreliable sources as credible,” it said.
• Israel’s PM Says His U.N. Speech Streamed Directly to Gaza Cellphones — Israeli Prime Minister Benjamin Netanyahu said his speech at the United Nations last week was also pushed to mobile phones of Gaza residents in an unprecedented operation. “Ladies and gentlemen, thanks to special efforts by Israeli intelligence, my words are now also being carried,” Netanyahu said. “They’re streamed live through the cell phones of Gaza.” There is no evidence for how it would’ve worked or if this actually took place.
• Fake Teams Installers Lead to Oyster Malware — Threat actors are abusing SEO poisoning and malvertising to lure users searching for Teams online into downloading a fake installer that leads to malware called Oyster (aka Broomstick or CleanUpLoader). “Oyster is a modular, multistage backdoor that provides persistent remote access, establishes Command and Control (C2) communications, collects host information, and enables the delivery of follow-on payloads,” Blackpoint said. “By hiding behind a widely used collaboration platform, Oyster is well positioned to evade casual detection and blend into the noise of normal enterprise activity.” The activity has been attributed by Conscia to Vanilla Tempest (aka Storm-0832 or Vice Society).
• Flaw in Streamlit Framework Patched — Cybersecurity researchers discovered a vulnerability in the Streamlit app deployment framework that can allow attackers to hijack underlying cloud servers. “To do that, threat actors bypass file type restrictions and take full control of a misconfigured cloud instance running Streamlit applications,” Cato Networks said. In a hypothetical attack scenario, bad actors can exploit a file upload vulnerability in the framework to rewrite server files and deploy new SSH configurations. Streamlit released a security patch in March.

🎥 Cybersecurity Webinars

• Beyond the Hype: Practical AI Workflows for Cybersecurity Teams — AI is transforming cybersecurity workflows, but the best results come from blending human oversight with automation. In this webinar, Thomas Kinsella of Tines shows how to pinpoint where AI truly adds value, avoid over-engineering, and build secure, auditable processes that scale.
• Halloween Special: Real Breach Stories and the Fix to End Password Horrors — Passwords are still a prime target for attackers—and a constant pain for IT teams. Weak or reused credentials, frequent helpdesk resets, and outdated policies expose organizations to costly breaches and reputational damage. In this Halloween-themed webinar from The Hacker News and Specops Software, you’ll see real breach stories, discover why traditional password policies fail, and watch a live demo on blocking compromised credentials in real time—so you can end password nightmares without adding user friction.
• From Code to Cloud: Learn How to See Every Risk, Fix Every Weak Link — Modern AppSec needs end-to-end visibility from code to cloud. Without it, hidden flaws delay fixes and raise risk. This webinar shows how code-to-cloud mapping unites dev, DevOps, and security to prioritize and remediate faster, forming the backbone of effective ASPM.

🔧 Cybersecurity Tools

• Pangolin — It is a self-hosted reverse proxy that securely exposes private services to the internet without opening firewall ports. It creates encrypted WireGuard tunnels to connect isolated networks and includes built-in identity and access management, so you can control who reaches your internal apps, APIs, or IoT devices. Ideal for developers, DevOps teams, or organizations needing safe remote access, Pangolin simplifies sharing internal resources while keeping them protected behind strong authentication and role-based permissions.
• AI Red Teaming Playground — Microsoft’s AI Red Teaming Playground Labs offers hands-on challenges to practice probing AI systems for security gaps. Built on Chat Copilot and powered by the open-source PyRIT framework, it lets you simulate prompt injections and other adversarial attacks to identify hidden risks in generative AI before deployment.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Hardening Active Directory Against Modern Attacks — Active Directory is a prime target—compromise it and attackers can own your network. Strengthen its defenses starting with Kerberos FAST (Flexible Authentication Secure Tunneling), which encrypts pre-authentication traffic to block offline password cracking and relay attacks. Deploy it in “Supported” mode, monitor KDC events (IDs 34, 35), then enforce “Required” once all clients are ready.

Run PingCastle for a rapid forest health check and use ADeleg/ADeleginator to uncover dangerous over-delegation in OUs or service accounts. Harden password security with Fine-Grained Password Policies (FGPP) and automate local admin password rotation using LAPS or Lithnet Password Protection to block breached credentials in real time.

Tighten other control layers: use AppLocker Inspector/Gen to lock down application execution and GPOZaurr to detect orphaned or risky Group Policy Objects. Scan AD Certificate Services with Locksmith to close misconfigurations and use ScriptSentry to catch malicious logon scripts that enable stealthy persistence.

Finally, apply CIS or Microsoft security baselines and generate custom Attack Surface Reduction rules with ASRGen to block exploit techniques that bypass standard policies. This layered, rarely implemented strategy raises the cost of compromise and forces even advanced adversaries to work far harder.

Conclusion

These headlines show how tightly connected our defenses must be in today’s threat landscape. No single team, tool, or technology can stand alone—strong security depends on shared awareness and action.

Take a moment to pass these insights along, spark a conversation with your team, and turn this knowledge into concrete steps. Every patch applied, policy updated, or lesson shared strengthens not just your own organization, but the wider cybersecurity community we all rely on.

Security leaders are embracing AI for triage, detection engineering, and threat hunting as alert volumes and burnout hit breaking points.

A comprehensive survey of 282 security leaders at companies across industries reveals a stark reality facing modern Security Operations Centers: alert volumes have reached unsustainable levels, forcing teams to leave critical threats uninvestigated. You can download the full report here. The research, conducted primarily among US-based organizations, shows that AI adoption in security operations has shifted from experimental to essential as teams struggle to keep pace with an ever-growing stream of security alerts.

The findings paint a picture of an industry at a tipping point, where traditional SOC models are buckling under operational pressure and AI-powered solutions are emerging as the primary path forward.

Alert Volume Reaches Breaking Point

Security teams are drowning in alerts, with organizations processing an average of 960 alerts per day. Large enterprises face an even more daunting reality, handling over 3,000 daily alerts from an average of 30 different alert-generating security tools.

This volume creates a fundamental operational crisis where security teams must make difficult detection and investigation decisions under extreme time pressure. The survey reveals that alert fatigue has evolved beyond an emotional burden to become a measurable operational risk.

Investigations Remain Slow and Manual

The sheer mathematics of alert processing exposes the problem’s scale. The survey results revealed that it takes an average of 70 minutes to fully investigate an alert, that is, if someone can find the time to look at it. According to the survey, a full 56 minutes pass on average before anyone acts on an alert. This impossibility forces difficult choices about which alerts receive attention and which get ignored.

The survey results have unequivocally demonstrated a critical and well-known challenge within Security Operations Centers (SOCs): the sheer volume of alerts generated daily far exceeds the capacity of human analysts to investigate them thoroughly. Compounding the problem, modern security stacks and data sources continue to grow in number and complexity, leading to longer investigation times.

For high-priority incidents requiring immediate attention, these timeframes represent unacceptable delays that can compound breach severity. According to the latest CrowdStrike Cyber Threat Report, it only takes 48 minutes on average for a cyber threat like a Business Email Compromise to result in an incident.

The Hidden Cost of Overwhelmed SOCs

This overwhelming influx creates an impossible dilemma, forcing SOC teams to make difficult and often risky choices about which alerts receive attention and which are, by necessity, ignored. The consequence of this impossible situation is a heightened risk of missing genuine threats amidst the noise, ultimately compromising an organization’s security posture.

40% of security alerts go completely uninvestigated due to volume and resource constraints. Even more troubling, 61% of security teams admitted to ignoring alerts that later proved to be critical security incidents.

This statistic represents a fundamental breakdown in security operations. Teams designed to protect organizations are systematically unable to examine nearly half of the potential threats they detect. The survey reveals that this isn’t negligence but rather a forced adaptation to impossible workload demands.

SOC Teams Struggle with 24/7 Operations

The survey exposes critical gaps in round-the-clock security coverage. Many organizations lack sufficient staffing to maintain effective 24/7 SOC operations, creating vulnerability windows during off-hours when skeleton crews handle the same alert volumes that overwhelm full-strength day shifts.

Analyst burnout has become a quantifiable problem rather than just an HR concern. Teams report that suppressing detection rules has become a default coping mechanism when alert volumes become unmanageable. This approach reduces immediate workload but potentially creates blind spots in security coverage.

The staffing challenges are compounded by the specialized nature of security analysis work. Organizations cannot easily scale their teams to match alert volume growth, particularly given the shortage of experienced cybersecurity professionals in the current job market.

AI transitions from experiment to strategic priority

AI for security operations has rapidly climbed the priority ladder, now ranking as a top-three initiative alongside core security programs like cloud security and data security. This signals a fundamental shift in how security leaders view AI as a critical enabler for operational success today.

Currently, 55% of security teams already deploy AI copilots and assistants in production to support alert triage and investigation workflows.

The next wave of adoption is coming fast. Among teams not yet using AI, 60% plan to evaluate AI-powered SOC solutions within the year. And looking ahead, 60% of all SOC workloads are expected to be handled by AI in the next three years, according to the survey.

Organizations seek AI for core investigative tasks

Security teams have identified where AI can make the biggest immediate difference. Triage tops the list at 67%, followed closely by detection tuning (65%) and threat hunting (64%).

These priorities reflect a growing desire to apply AI to the early stages of investigation and surfacing meaningful alerts while providing initial context, and offloading repetitive analysis. It’s not about automating away human judgment, but about accelerating workflows and sharpening human focus.

Barriers Remain but Momentum is Clear

Despite strong adoption intentions, security leaders identify meaningful barriers to AI implementation. Data privacy concerns, integration complexity, and explainability requirements top the list of organizational hesitations.

The Future SOC Takes Shape

The survey data reveals a clear trajectory toward hybrid security operations where AI handles routine analysis tasks and human analysts focus on complex investigations and strategic decision-making. This evolution promises to address both the volume problem and analyst burnout simultaneously.

Success metrics for this transformation will likely center on operational efficiency improvements. Organizations will measure progress through reduced Mean Time to Investigation (MTTI) and Mean Time to Response (MTTR) in addition to traditional alert closure rates. Other meaningful success metrics include using AI to upskill and train new SOC Analyst and dramatically accelerate ramp up time.

By ensuring comprehensive alert coverage through AI augmentation, organizations can reduce the risk tolerance currently forced by volume constraints. The future SOC will investigate more alerts more thoroughly while requiring less manual effort from human analysts.

How Prophet Security Helps Customers

Prophet Security helps organizations move beyond manual investigations and alert fatigue with an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across the existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and delivers more consistent security outcomes. Security leaders use Prophet AI to maximize the value of their people and tools, strengthen their security posture, and turn daily SOC operations into measurable business results. Visit Prophet Security to learn more or request a demo and see how Prophet AI can elevate your SOC operations.