Tag: Cyber Security

Sep 06, 2025Ravie LakshmananSoftware Security / Cryptocurrency

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers.

“The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher Kush Pandya said in an analysis.

The packages were uploaded to npm by a user named “flashbotts,” with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below –

The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of Maximal Extractable Value (MEV) on the Ethereum network, such as sandwich, liquidation, backrunning, front-running, and time-bandit attacks.

The most dangerous of the identified libraries is “@flashbotts/ethers-provider-bundle,” which uses its functional cover to conceal the malicious operations. Under the guise of offering full Flashbots API compatibility, the package incorporates stealthy functionality to exfiltrate environment variables over SMTP using Mailtrap.

In addition, the npm package implements a transaction manipulation function to redirect all unsigned transactions to an attacker-controlled wallet address and log metadata from pre-signed transactions.

sdk-ethers, per Socket, is mostly benign but includes two functions to transmit mnemonic seed phrases to a Telegram bot that are only activated when they are invoked by unwitting developers in their own projects.

The second package to impersonate Flashbots, flashbot-sdk-eth, is also designed to trigger the theft of private keys, while gram-utilz offers a modular mechanism for exfiltrating arbitrary data to the threat actor’s Telegram chat.

With mnemonic seed phrases serving as the “master key” to recover access to cryptocurrency wallets, theft of these sequences of words can allow threat actors to break into victims’ wallets and gain complete control over their wallets.

The presence of Vietnamese language comments in the source code suggest that the financially-motivated threat actor may be Vietnamese-speaking.

The findings indicate a deliberate effort on part of the attackers to weaponize the trust associated with the platform to conduct software supply chain attacks, not to mention obscure the malicious functionality amidst mostly harmless code to sidestep scrutiny.

“Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets,” Pandya pointed out. “A compromised private key in this environment can lead to immediate, irreversible theft of funds.”

“By exploiting developer trust in familiar package names and padding malicious code with legitimate utilities, these packages turn routine Web3 development into a direct pipeline to threat actor-controlled Telegram bots.”

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.

“Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.”

Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group.

“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said.

The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework.

Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers.

As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.

In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.

The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py.

With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of the tools used during these phases are listed below –

• EarthWorm for network tunneling using SOCKS
• DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network
• SharpHound for Active Directory reconnaissance
• GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens
• Remote Desktop Protocol (RDP) for lateral movement

The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP.

“With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods,” Mandiant added.

To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise.

“The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances,” Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.

“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we’ve seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet.”

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones.

“Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE),” Dewhurst added.

“Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.”

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT.

“Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said.

The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.

A subsequent analysis from IBM X-Force last month found that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software.

“Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said.

“The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.”

Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.

CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to host C2 servers (“programsbookss[.]com”).

Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking the same malware under the name NightshadeC2.

The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions.

“As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.”

That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.

eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, makes use of techniques like UAC Prompt Bombing to sidestep security protections. The Canadian cybersecurity company said it also identified variants equipped with features to extract passwords and cookies from Chromium- and Gecko-based web browsers.

In a nutshell, the process involves running a PowerShell command in a loop that attempts to add an exclusion in Windows Defender for the final payload (i.e., NightshadeC2), after which the loader verifies the exit code of the PowerShell process to ascertain if it’s 0 (meaning success).

If the exclusion is successfully added, the loader proceeds to deliver the malware. If any other exit code other than 0 is returned, the loop keeps executing repeatedly, forcing the user to approve the User Account Control (UAC) prompt.

“A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop,” eSentire said, adding the method enables a bypass of multiple sandbox solutions.

The development comes as Hunt.io detailed another malware loader codenamed TinyLoader that has been used to serve Redline Stealer and DCRat.

Besides establishing persistence by modifying Windows Registry settings, the malware monitors the clipboard and instantly replaces copied crypto wallet addresses. Its C2 panels are hosted across Latvia, the U.K., and the Netherlands.

“TinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack transactions,” the company said. “It spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.”

The findings also coincide with the discovery of two new malware families, a Windows-based keylogger called TinkyWinkey and a Python information stealer referred to as Inf0s3c Stealer, that can collect keyboard input and gather extensive system information, respectively.

Further analysis of Inf0s3c Stealer has identified points of similarity with Blank Grabber and Umbral-Stealer, two other publicly available malware families, suggesting that the same author could be responsible for all three strains.

“TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information,” CYFIRMA said.

Inf0s3c Stealer “systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots. It enumerates running processes and generates hierarchical views of user directories, such as Desktop, Documents, Pictures, and Downloads.”

Sep 05, 2025Ravie LakshmananVulnerability / Enterprise Security

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.

The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month.

“SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.

Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes.

SecurityBridge Threat Research Labs, in an alert issued Thursday, said it has observed active exploitation of the flaw, stating the issue impacts both on-premise and Private Cloud editions.

“Exploitation requires access only to a low-privileged user to fully compromise an SAP system,” the company said. “A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.”

It also noted that while widespread exploitation has not yet been detected, threat actors possess the knowledge to use it, and that reverse engineering the patch to create an exploit is “relatively easy.”

As a result, organizations are advised to apply the patches as soon as possible, monitor logs for suspicious RFC calls or new admin users, and ensure appropriate segmentation and backups are in place.

“Consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02,” it also said.

Sep 05, 2025Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system.

The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia.

The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed.

The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods.

In all, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025.

“Looking deeper, we saw that the earliest samples were larger, around 25 MB, and the size decreased over time, suggesting the attackers were evolving their payloads,” VirusTotal said.

The disclosure comes as cracked versions of legitimate software and ClickFix-style tactics are being used to lure users into infecting their Apple macOS systems with an information stealer called Atomic macOS Stealer (AMOS), exposing businesses to credential stuffing, financial theft, and other follow-on attacks.

“AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders,” Trend Micro said. “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.”

The attack chain essentially involves targeting users looking for cracked software on sites like haxmac[.]cc, redirecting them to bogus download links that provide installation instructions designed to trick them into running malicious commands on the Terminal app, thus triggering the deployment of AMOS.

It’s worth noting that Apple prevents the installation of .dmg files lacking proper notarization due to macOS’s Gatekeeper protections, which require the application packages to be signed by an identified developer and notarized by Apple.

“With the release of macOS Sequoia, attempts to install malicious or unsigned .dmg files, such as those used in AMOS campaigns, are blocked by default,” the company added. “While this doesn’t eliminate the risk entirely, especially for users who may bypass built-in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods.”

This is why threat actors are increasingly banking on ClickFix, as it allows the stealer to be installed on the machine using Terminal by means of a curl command specified in the software download page.

“While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” Trend Micro said. “This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.”

The development also follows the discovery of a “sprawling cyber campaign” that’s targeting gamers on the lookout for cheats with StealC stealer and crypto theft malware, netting the threat actors more than $135,000.

Per CyberArk, the activity is notable for leveraging StealC’s loader capabilities to download additional payloads, in this case, a cryptocurrency stealer that can siphon digital assets from users on infected machines.

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam.

The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024.

“While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” ESET researcher Fernando Tavella said in a report shared with The Hacker News.

“Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites.”

Some of the other targets of the hacking group include Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology, and retail sectors singled out.

Initial access to target networks is accomplished by exploiting a vulnerability, likely an SQL injection flaw, after which PowerShell is used to deliver additional tools hosted on a staging server (“868id[.]com”).

“This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a machine,” ESET said.

Rungan is designed to await incoming requests from a URL matching a predefined pattern (i.e., “https://+:80/v1.0/8888/sys.html”), and then proceeds to parse and execute the commands embedded in them. It supports four different commands –

• mkuser, to create a user on the server with the username and password provided
• listfolder, to collect information from a provided path (unfinished)
• addurl, to register new URLs that the backdoor can listen on
• cmd, to run a command on the server using pipes and the CreateProcessA API

Written in C/C++, Gamshen is an example of an IIS malware family called “Group 13,” which can act both as a backdoor and conduct SEO fraud. It functions similar to IISerpent, another IIS-specific malware that was documented by ESET back in August 2021.

IISerpent, configured as a malicious extension for Microsoft’s web server software, allows it to intercept all HTTP requests made to the websites hosted by the compromised server, specifically those originating from search engine crawlers, and change the server’s HTTP responses with the goal of redirecting the search engines to a scam website of the attacker’s choosing.

“GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” Tavella said.

It’s currently not known where these backlinks redirect unsuspecting users to, but it’s believed that the SEO fraud scheme is being used to promote various gambling websites.

Also dropped alongside Rungan and Gamshen are various other tools –

• GoToHTTP to establish a remote connection that’s accessible from a web browser
• BadPotato or EfsPotato for creating a privileged user in the Administrators group
• Zunput to collect information about websites hosted on the IIS server and drop ASP, PHP, and JavaScript web shells

It’s assessed with medium confidence that GhostRedirector is a China-aligned threat actor based on the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., to sign the privilege escalation artifacts, and the use of the password “huang” for one of the GhostRedirector-created users on the compromised server.

That said, GhostRedirector is not the first China-linked threat actor to use malicious IIS modules for SEO fraud. Over the past year, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank that has engaged in SEO manipulation via BadIIS malware.

“Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website – potentially a paying client participating in an SEO fraud as-a-service scheme,” the company said.

“GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.”

Sep 04, 2025Ravie LakshmananCybersecurity / Malware

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.

NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”

The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.

The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading.

This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections.

Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.

NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.

It then proceeds to create a folder at the path %TEMP%Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed.

The malware supports four different commands –

• cmd, to execute commands and return the standard output as an email attachment
• cmdno, to execute commands
• dwn, to exfiltrate files from the victim’s computer by sending them as email attachments
• upl, to drop files to the victim’s computer

“Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.”

The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.

The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth.

“This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said.

“Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.”

Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional

payloads.

“This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.

Sep 04, 2025Ravie LakshmananGDPR / Data Privacy

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.

“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted.

The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.”

Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE).

French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent. Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day.

The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.

In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S. Children’s Online Privacy Protection Rule (COPPA).

The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads.

In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.

Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA.

“Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said. “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.”

Sep 04, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild.

The vulnerabilities in question are listed below –

• CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd”
• CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution

According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status –

• TL-WR841N (versions 10.0 and 11.0)
• TL-WR841ND (version 10.0)
• Archer C7 (versions 2.0 and 3.0)

However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity.

“The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,” the company said. “For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.”

There are no public reports explicitly referencing the exploitation of the aforementioned vulnerabilities, but TP-Link, in an advisory updated last week, linked in-the-wild activity to a botnet known as Quad7 (aka CovertNetwork-1658), which has been leveraged by a China-linked threat actor codenamed Storm-0940 to conduct highly evasive password spray attacks.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are being urged to apply the necessary mitigations by September 24, 2025, to secure their networks.

The development comes a day after CISA placed another high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products (CVE-2020-24363, CVSS score: 8.8) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Sep 04, 2025Ravie LakshmananArtificial Intelligence / Malware

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok.

The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking.

The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.

To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player that apparently isn’t scanned by the social media platform.

In the next step, the fraudsters tag Grok in replies to the post, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response.

“Adding to that, it is now amplified in SEO and domain reputation – after all, it was echoed by Grok on a post with millions of impressions,” Tal said.

“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”

Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams, information-stealing malware, and other suspicious content via direct link (aka smartlink) monetization.

The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content.

The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts.

“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.”