Tag: Cyber Security

Sep 05, 2025Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system.

The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia.

The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed.

The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods.

In all, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025.

“Looking deeper, we saw that the earliest samples were larger, around 25 MB, and the size decreased over time, suggesting the attackers were evolving their payloads,” VirusTotal said.

The disclosure comes as cracked versions of legitimate software and ClickFix-style tactics are being used to lure users into infecting their Apple macOS systems with an information stealer called Atomic macOS Stealer (AMOS), exposing businesses to credential stuffing, financial theft, and other follow-on attacks.

“AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders,” Trend Micro said. “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.”

The attack chain essentially involves targeting users looking for cracked software on sites like haxmac[.]cc, redirecting them to bogus download links that provide installation instructions designed to trick them into running malicious commands on the Terminal app, thus triggering the deployment of AMOS.

It’s worth noting that Apple prevents the installation of .dmg files lacking proper notarization due to macOS’s Gatekeeper protections, which require the application packages to be signed by an identified developer and notarized by Apple.

“With the release of macOS Sequoia, attempts to install malicious or unsigned .dmg files, such as those used in AMOS campaigns, are blocked by default,” the company added. “While this doesn’t eliminate the risk entirely, especially for users who may bypass built-in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods.”

This is why threat actors are increasingly banking on ClickFix, as it allows the stealer to be installed on the machine using Terminal by means of a curl command specified in the software download page.

“While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” Trend Micro said. “This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.”

The development also follows the discovery of a “sprawling cyber campaign” that’s targeting gamers on the lookout for cheats with StealC stealer and crypto theft malware, netting the threat actors more than $135,000.

Per CyberArk, the activity is notable for leveraging StealC’s loader capabilities to download additional payloads, in this case, a cryptocurrency stealer that can siphon digital assets from users on infected machines.

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam.

The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024.

“While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” ESET researcher Fernando Tavella said in a report shared with The Hacker News.

“Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites.”

Some of the other targets of the hacking group include Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology, and retail sectors singled out.

Initial access to target networks is accomplished by exploiting a vulnerability, likely an SQL injection flaw, after which PowerShell is used to deliver additional tools hosted on a staging server (“868id[.]com”).

“This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a machine,” ESET said.

Rungan is designed to await incoming requests from a URL matching a predefined pattern (i.e., “https://+:80/v1.0/8888/sys.html”), and then proceeds to parse and execute the commands embedded in them. It supports four different commands –

• mkuser, to create a user on the server with the username and password provided
• listfolder, to collect information from a provided path (unfinished)
• addurl, to register new URLs that the backdoor can listen on
• cmd, to run a command on the server using pipes and the CreateProcessA API

Written in C/C++, Gamshen is an example of an IIS malware family called “Group 13,” which can act both as a backdoor and conduct SEO fraud. It functions similar to IISerpent, another IIS-specific malware that was documented by ESET back in August 2021.

IISerpent, configured as a malicious extension for Microsoft’s web server software, allows it to intercept all HTTP requests made to the websites hosted by the compromised server, specifically those originating from search engine crawlers, and change the server’s HTTP responses with the goal of redirecting the search engines to a scam website of the attacker’s choosing.

“GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” Tavella said.

It’s currently not known where these backlinks redirect unsuspecting users to, but it’s believed that the SEO fraud scheme is being used to promote various gambling websites.

Also dropped alongside Rungan and Gamshen are various other tools –

• GoToHTTP to establish a remote connection that’s accessible from a web browser
• BadPotato or EfsPotato for creating a privileged user in the Administrators group
• Zunput to collect information about websites hosted on the IIS server and drop ASP, PHP, and JavaScript web shells

It’s assessed with medium confidence that GhostRedirector is a China-aligned threat actor based on the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., to sign the privilege escalation artifacts, and the use of the password “huang” for one of the GhostRedirector-created users on the compromised server.

That said, GhostRedirector is not the first China-linked threat actor to use malicious IIS modules for SEO fraud. Over the past year, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank that has engaged in SEO manipulation via BadIIS malware.

“Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website – potentially a paying client participating in an SEO fraud as-a-service scheme,” the company said.

“GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.”

Sep 04, 2025Ravie LakshmananCybersecurity / Malware

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.

NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”

The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.

The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading.

This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections.

Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.

NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.

It then proceeds to create a folder at the path %TEMP%Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed.

The malware supports four different commands –

• cmd, to execute commands and return the standard output as an email attachment
• cmdno, to execute commands
• dwn, to exfiltrate files from the victim’s computer by sending them as email attachments
• upl, to drop files to the victim’s computer

“Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.”

The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.

The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth.

“This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said.

“Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.”

Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional

payloads.

“This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.

Sep 04, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild.

The vulnerabilities in question are listed below –

• CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd”
• CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution

According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status –

• TL-WR841N (versions 10.0 and 11.0)
• TL-WR841ND (version 10.0)
• Archer C7 (versions 2.0 and 3.0)

However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity.

“The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,” the company said. “For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.”

There are no public reports explicitly referencing the exploitation of the aforementioned vulnerabilities, but TP-Link, in an advisory updated last week, linked in-the-wild activity to a botnet known as Quad7 (aka CovertNetwork-1658), which has been leveraged by a China-linked threat actor codenamed Storm-0940 to conduct highly evasive password spray attacks.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are being urged to apply the necessary mitigations by September 24, 2025, to secure their networks.

The development comes a day after CISA placed another high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products (CVE-2020-24363, CVSS score: 8.8) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Sep 04, 2025Ravie LakshmananGDPR / Data Privacy

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.

“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted.

The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.”

Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE).

French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent. Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day.

The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.

In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S. Children’s Online Privacy Protection Rule (COPPA).

The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads.

In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.

Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA.

“Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said. “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.”

Sep 04, 2025Ravie LakshmananArtificial Intelligence / Malware

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok.

The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking.

The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.

To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player that apparently isn’t scanned by the social media platform.

In the next step, the fraudsters tag Grok in replies to the post, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response.

“Adding to that, it is now amplified in SEO and domain reputation – after all, it was echoed by Grok on a post with millions of impressions,” Tal said.

“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”

Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams, information-stealing malware, and other suspicious content via direct link (aka smartlink) monetization.

The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content.

The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts.

“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.”

Sep 03, 2025Ravie LakshmananMalware / Social Engineering

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar.

“The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.

The packages, both uploaded to npm in July 2025 and no longer available for download, are listed below –

The software supply chain security firm said the libraries are part of a larger and sophisticated campaign impacting both npm and GitHub, tricking unsuspecting developers into downloading and running them.

While the packages themselves make no effort to conceal their malicious functionality, ReversingLabs noted that the GitHub projects that imported these packages took pains to make them look credible.

As for the packages themselves, the nefarious behavior kicks in once either of them is used or included in some other project, causing it to fetch and run a next-stage payload from an attacker-controlled server.

Although this is par for the course when it comes to malware downloaders, where it stands apart is the use of Ethereum smart contracts to stage the URLs hosting the payload – a technique reminiscent of EtherHiding. The shift underscores the new tactics that threat actors are adopting to evade detection.

Further investigation into the packages has revealed that they are referenced in a network of GitHub repositories claiming to be a solana-trading-bot-v2 that leverages “real-time on-chain data to execute trades automatically, saving you time and effort.” The GitHub account associated with the repository is no longer available.

It’s assessed that these accounts are part of a distribution-as-service (DaaS) offering called Stargazers Ghost Network, which refers to a cluster of bogus GitHub accounts that are known to star, fork, watch, commit, and subscribe to malicious repositories to artificially inflate their popularity.

Included among those commits are source code changes to import colortoolsv2. Some of the other repositories caught pushing the npm package are ethereum-mev-bot-v2, arbitrage-bot, and hyperliquid-trading-bot.

The naming of these GitHub repositories suggests that the cryptocurrency developers and users are the primary target of the campaign, using a combination of social engineering and deception.

“It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle,” Valentić said. “And that means pulling back the covers on both open source packages and their maintainers: looking beyond raw numbers of maintainers, commits and downloads to assess whether a given package – and the developers behind it – are what they present themselves as.”

Sep 03, 2025Ravie LakshmananMobile Security / Vulnerability

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.

The vulnerabilities are listed below –

• CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
• CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component

Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.

The tech giant did not reveal how the issues have been weaponized in real-world attacks, but acknowledged there are indications of “limited, targeted exploitation.”

Also patched by Google are several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities impacting Framework and System components.

Google has released two security patch levels, 2025-09-01 and 2025-09-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.

“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” Google said.

Last month, the tech giant Google released security updates to resolve two Qualcomm vulnerabilities — CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5) — that were flagged by the chipmaker as actively exploited in the wild.

In January 2025, cybersecurity experts at Wiz Research found that Chinese AI specialist DeepSeek had suffered a data leak, putting more than 1 million sensitive log streams at risk.

According to the Wiz Research team, they identified a publicly accessible ClickHouse database belonging to DeepSeek. This allowed “full control over database operations, including the ability to access internal data”, Wiz Research stated, with more than a million lines of log streams involved, containing chat history, secret keys and more.

Wiz immediately reported the issue to DeepSeek, which quickly secured the exposure. Still, the incident underscored the danger of data leakage.

Intentional or unintentional?

Data leakage is a broad concept, covering a range of scenarios. As IBM notes, the term in general refers to a scenario where “sensitive information is unintentionally exposed to unauthorized parties”.

It could be intentional or unintentional. On the intentional side, for instance, hackers could use phishing or social engineering techniques to manipulate an organization’s employees into exposing their personal data.

There’s even the risk of an insider threats: for instance, a worker with a grudge who seeks to compromise systems, perhaps for financial benefit or as part of some quest for revenge.

But unintentional leakage is just as big a concern. This could be a case of simple human error: sending an email to the wrong person or providing too much information to a third party for example.

There are a wide range of common vectors – we’ll run through just a few.

Misconfigured cloud storage

Cloud misconfigurations can be a common cause of data leakage. The Cloud Security Alliance highlights the danger from simple mistakes, like leaving default passwords in place or failing to properly configure access controls.

Endpoint vulnerabilities

Data processed through hardware like unencrypted laptops or stored in devices such as USBs can be a key vulnerability for leakage; it’s important that employees are aware of – and follow – organizational security policies to mitigate this risk.

Emails and messaging

There’s a real danger that data can be intercepted: this could come from a simple error (sending a sensitive attachment to the wrong address) or through a deliberate attack. Robust encryption is essential to ensure it stays in the right hands.

Shadow IT

Employees often use their own IT as part of their daily working lives (such as external cloud technologies), including for data storage. While this isn’t generally malicious, it can make risk management more difficult, notes the UK’s National Cyber Security Centre (NCSC), “because you won’t have a full understanding of what you need to protect and what you value most.”

Financial and legal problems

There are several common drivers of data leakage, ranging from weak access controls to a lack of data-classification policies, insufficient monitoring, and inadequate employee training. But no matter the specific cause, the consequences can be devastating.

For example, regulatory authorities around the world now enforce strict data protection policies, which can result in huge fines for organizations that fail to comply; this includes the EU’s General Daa Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

There is also the broader risk of losing intellectual property (IP) or other sensitive company information. Crimes like credit card fraud could stem from a leak, while public companies could even see a fall in their share price.

Perhaps most importantly, failing to protect employee and customer data could have a devastating impact on an organization’s reputation, with long-term negative implications for the business.

Building your defenses

So how can organizations protect themselves, their employees and their customers from the dangers of data leakage? Here are some key approaches:

Enforce least-privilege access: By granting users access only to the data they need to perform their job, the ‘blast radius’ of a breach or leakage will be significantly reduced.

Pursue data loss prevention (DLP): This is a wide-ranging solution, combining technologies like AI and antivirus software with techniques and actions focused on people and processes, all with the aim of identifying and preventing data-connected harm.

Classify sensitive data: Protection begins with knowledge. Develop a thorough understanding of your riskiest data to ensure you know where to prioritize your security implementation.

Audits: Through both external audit checks and a comprehensive internal audit program, organizations can increase their chances of identifying potential vulnerabilities.

Training: Of course, no technical solution or operational enhancement can succeed without full employee engagement and understanding. Adequate training will ensure your staff and other stakeholders are up to speed, while engagement may even produce new insights into vulnerabilities and mitigation techniques.

CompassDRP: Detect leaked data

As your digital attack surface grows, so does the risk of data leakage. Outpost24’s CompassDRP helps organizations manage this expanding threat environment, with a key module focused on data leakage.

The feature has crucial applications for many businesses. These include:

• Detect potentially leaked documents or confidential data: Users often rely on unauthorized or misconfigured applications to share documents and sometimes confidential data with customers or colleagues. The Data Leakage feature is designed to detect such cases across numerous sources, including document repositories.
• Detect potentially leaked source code: Such leakages could reveal internal information to an attacker, including IP or even the authentication tokens in the code. The Data Leakage feature searches code repositories to detect these leaks.

Organizations of all sizes deal with growing volumes of data today. This is a huge advantage, helping gather insights into your business and your customer base. However, it also poses risks, as we have seen.

By embracing technological innovation and operational enhancements, you can help ensure your organization realizes the many benefits of this information without succumbing to the dangers and costly consequences of data leakage. Book a CompassDRP live demo.

Sep 03, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws.

HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges.

Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling.

But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to exploit recently disclosed security vulnerabilities.

“This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” the cybersecurity company said.

Discussions on darknet cybercrime forums show that threat actors claim to have successfully exploited the three security flaws that Citrix disclosed last week using HexStrike AI, and, in some cases, even flag seemingly vulnerable NetScaler instances that are then offered to other criminals for sale.

Check Point said the malicious use of such tools has major implications for cybersecurity, not only shrinking the window between public disclosure and mass exploitation, but also helping parallelize the automation of exploitation efforts.

What’s more, it cuts down the human effort and allows for automatically retrying failed exploitation attempts until they become successful, which the cybersecurity company said increases the “overall exploitation yield.”

“The immediate priority is clear: patch and harden affected systems,” it added. “Hexstrike AI represents a broader paradigm shift, where AI orchestration will increasingly be used to weaponize vulnerabilities quickly and at scale.”

The disclosure comes as two researchers from Alias Robotics and Oracle Corporation said in a newly published study that AI-powered cybersecurity agents like PentestGPT carry heightened prompt injection risks, effectively turning security tools into cyber weapons via hidden instructions.

“The hunter becomes the hunted, the security tool becomes an attack vector, and what started as a penetration test ends with the attacker gaining shell access to the tester’s infrastructure,” researchers Víctor Mayoral-Vilches and Per Mannermaa Rynning said.

“Current LLM-based security agents are fundamentally unsafe for deployment in adversarial environments without comprehensive defensive measures.”