A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076, this malware represents a major update to the older Maverick and SORVEPOTEL families.

It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via WhatsApp and Microsoft Outlook.

The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.

By using a technique known as DLL side-loading, the hackers trick the legitimate Logitech application into loading a malicious file instead of its normal system components. Once activated, this hidden loader takes control of the system to prepare the next stages of the attack.

TCLBANKER is carefully built to hide from security researchers. Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt, keeping the malware completely hidden from automated security scanners.

TCLBANKER Malware Targets Users

Once the malware confirms it is on a real victim’s machine, it launches the main banking trojan.

This tool continuously monitors the user’s web browser to detect whether the user visits one of 59 targeted banks, financial technology platforms, or cryptocurrency websites. When a match is found, the malware connects to a remote server.

To steal passwords, the trojan uses full-screen overlays built with Microsoft’s Windows Presentation Foundation. These overlays cover the entire screen and look exactly like real banking prompts or official Windows Update screens.

They freeze the desktop, block keyboard shortcuts such as the Windows key or Escape, and turn off screen-capture tools so the victim cannot record the fraud. The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

What makes TCLBANKER incredibly dangerous is its ability to spread automatically. The first worm module targets WhatsApp Web. The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts.

Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data. It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim’s contacts. Because the messages come from a trusted friend, new victims are highly likely to download the file.

Elastic Security Labs has uncovered that the second worm module focuses on email. It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim’s email account.

The bot searches the address book and inbox to harvest contacts. It then drafts completely new phishing emails and sends them from the infected user’s actual email address. This technique easily bypasses standard email security filters because the emails originate from a legitimate, trusted source.

All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses.

The hackers also host their malicious files on Cloudflare, making the download links look safe to the average user. Researchers note that this campaign is still in its early stages, suggesting that the threat actors are likely preparing to expand their targets.

To protect against TCLBANKER, organizations should look for unusual background processes spawned by Logitech applications.

Security teams must monitor for unauthorized browser profile cloning and watch for unusual spikes in outbound emails from Microsoft Outlook. Using advanced endpoint protection that detects unauthorized full-screen overlays is also essential to keeping systems safe from this evolving threat.

IoC

Observable	Type	Name	Reference
701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626	SHA-256	screen_retriever_plugin.dll	TCLBanker loader component
8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059	SHA-256	screen_retriever_plugin.dll	TCLBanker loader component
668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40	SHA-256	screen_retriever_plugin.dll	TCLBanker loader component
63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394	SHA-256	XXL_21042026-181516.zip	TCLBanker initial ZIP file
campanha1-api.ef971a42[.]workers.dev	domain-name		TCLBanker C2
mxtestacionamentos[.]com	domain-name		TCLBanker C2
documents.ef971a42.workers[.]dev	domain-name		TCLBanker file server
arquivos-omie[.]com	domain-name		TCLBanker phishing page (under development)
documentos-online[.]com	domain-name		TCLBanker phishing page (under development)
afonsoferragista[.]com	domain-name		TCLBanker phishing page (under development)
doccompartilhe[.]com	domain-name		TCLBanker phishing page (under development)
recebamais[.]com	domain-name		TCLBanker phishing page (under development)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules appeared first on Cyber Security News.

A data breach at GFN.AM, an authorized NVIDIA GeForce NOW cloud gaming service provider operating under “GFN CLOUD INTERNET SERVICES” LLC, has exposed personal information belonging to registered users.

The company disclosed the incident on May 5, 2026, revealing that unauthorized access to its database occurred as far back as March 9, 2026, nearly two months before discovery.

The breach was first detected on May 2, 2026, leaving a roughly 54-day window during which threat actors may have had access to user records.

GFN.AM confirmed that the unauthorized party gained access to its backend database, allowing sensitive user data to be exfiltrated or viewed by third parties.

Critically, only users registered on or before March 9, 2026, are affected. The incident did not impact accounts created after that date.

NVIDIA Data Breach

According to the official disclosure, the following categories of personal data may have been compromised:

• Email addresses
• Phone numbers, for users who registered via a mobile operator
• Date of birth
• Full name (first and last), for users who authenticated through Google Sign-In
• GFN.AM platform username

The company emphasized that account passwords were not compromised in this incident, reducing the immediate risk of account takeover.

However, the exposed combination of email addresses, phone numbers, and full names poses a significant risk of phishing, SIM swapping, and social engineering targeting affected users.

Following the discovery of the breach, GFN.AM stated it took immediate steps to eliminate the root cause of the unauthorized access. The company has also implemented additional organizational and technical security controls to harden its information systems and reduce the likelihood of a similar incident.

No further technical specifics, such as whether the access involved a compromised credential, an unpatched vulnerability, or a misconfigured database, were disclosed in the public notice.

Security professionals warn that even without password exposure, the leaked data is highly valuable to cybercriminals. Personal identifiers such as full names, phone numbers, and email addresses are routinely used in targeted phishing and credential-stuffing campaigns.

Users who authenticated via Google should review their account activity, as their full names were among the exposed fields.

Users registered on or before March 9, 2026, should take the following precautions:

• Monitor email accounts for unusual login attempts or phishing messages.
• Be cautious of unsolicited calls or SMS messages referencing GFN.AM.
• Enable multi-factor authentication on linked Google and email accounts.
• Consider placing a fraud alert with relevant financial institutions if additional personal data is suspected to be involved.

GFN.AM has not publicly indicated whether affected users will be notified individually or whether regulatory authorities have been informed of the breach.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users appeared first on Cyber Security News.

Threat actors are rapidly shifting their intrusion tradecraft toward high-speed, SaaS-centric attacks that completely bypass traditional endpoint security.

Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns.

These groups operate almost exclusively within trusted SaaS environments such as SharePoint, HubSpot, and Google Workspace to accelerate their time to impact.

By leveraging single sign-on (SSO) integrations, they minimize their footprint and create significant visibility challenges for enterprise defenders.

Initial Access via Vishing

The adversaries initiate their attacks using targeted voice phishing (vishing) campaigns. They impersonate corporate IT support teams to create a false sense of urgency around security updates or account issues.

This social engineering tactic directs employees to fraudulent adversary-in-the-middle (AiTM) phishing pages that closely mimic legitimate corporate login portals, using deceptive domains like company-sso[.]com.

When victims enter their credentials, the attackers capture authentication data and active session tokens in real time.

Because the proxy relays this authentication directly to the legitimate service, users experience a normal login and remain entirely unaware of the compromise.

These stolen credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications.

By abusing the trust relationship between the IdP and connected services, the attackers move laterally across the victim’s entire cloud ecosystem.

Once the attackers secure initial access, they immediately establish persistence by manipulating multifactor authentication (MFA) settings.

They typically remove existing MFA devices and register their own hardware to the compromised accounts while appearing to authenticate from a newly trusted device.

• SNARKY SPIDER almost exclusively enrolls Genymobile Android emulators to manage connected devices across different operating systems.
• CORDIAL SPIDER uses a broader range of mobile devices and Windows Quick Emulators (QEMU) for its authentication needs.
• Threat actors often register their malicious devices to long-standing accounts where MFA had not previously been enabled.
• Both groups systematically delete automated security emails from the victim’s inbox to hide unauthorized device registrations.
• Attackers deploy automated inbox rules to instantly filter messages containing keywords such as alert, incident, or MFA.

Rapid Data Exfiltration

With secure and stealthy access established, the threat actors execute targeted searches across connected SaaS platforms to locate high-value information.

They frequently query terms such as confidential, SSN, contracts, and VPN to prioritize business-critical documents and infrastructure credentials.

Following this reconnaissance phase, the adversaries move quickly to aggregate and download massive datasets.

In many documented incidents, SNARKY SPIDER begins high-volume data exfiltration within an hour of the initial compromise.

These rapid breaches exploit customer misconfigurations, such as missing phishing-resistant MFA, rather than underlying vulnerabilities in the SaaS platforms themselves.

To obscure their geographic locations and evade IP-based detection, both threat groups route their traffic through commercial VPNs and residential proxy networks.

Providers like Mullvad, Oxylabs, and NetNut assign real home-user IP addresses to attackers, making malicious activity appear as benign residential traffic.

Defending against these sophisticated techniques requires comprehensive SaaS security posture management and advanced anomaly detection.

Platforms like CrowdStrike Falcon Shield address these visibility gaps by applying deep SaaS expertise to analyze authentication flows and user behaviors.

By combining entity-aware statistical models with new-age network intelligence, security teams can reliably identify anonymization services, cluster adversarial infrastructure, and disrupt these high-speed cloud threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace appeared first on Cyber Security News.

A sophisticated cybercriminal operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide.

Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google’s AppSheet platform to bypass traditional email security filters.

By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials and identity documents. These stolen Facebook Business accounts are subsequently monetized or resold back to victims through an illicit storefront.

The foundation of this campaign relies on hijacking platform trust rather than spoofing domains. The threat actors use Google AppSheet, a legitimate no-code app-building service, to distribute malicious notifications.

Because these emails are sent directly from Google servers using the address noreply@appsheet.com, they easily pass SPF, DKIM, and DMARC authentication checks.

Security defenders and spam filters consistently wave these messages through since Google genuinely owns the sending infrastructure. This forces victims to rely entirely on identifying the deceptive content within the message itself.

Attack and Evasion Methodologies

The operation is highly modular, employing four distinct phishing clusters to target victims based on different psychological triggers.

Cluster Type	Lure Strategy	Hosting Platform	Technical Features
Policy Violation	Fake Facebook Help Center notices threatening permanent account disablement	Netlify	HTTrack cloning artifacts, unique subdomains to evade blocklists, serverless functions for data exfiltration
Reward Promise	Invitations for Blue Badge verification or exclusive advertiser rewards	Vercel	Unicode obfuscation in preheaders, fake reCAPTCHA barriers, live credential validation scripts
Live Control	Urgent Meta notices disguised as a clean, single-image notification	Google Drive (Canva PDFs)	WebSocket-based live phishing panels enabling real-time, human-in-the-loop interaction
Social Engineering	Fake senior job offers from prominent tech companies like Meta and Apple	Off-platform communication channels	Cyrillic homoglyphs in sender display names, pivoting to live conversations to slowly build trust

Behind the sophisticated front-end lures, the AccountDumpling operation relies entirely on Telegram bots for its command-and-control exfiltration.

Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photos are instantly routed to private Telegram channels.

Operators actively monitor these streams to validate the stolen data and execute account takeovers in real time. Telemetry from the recovered bot infrastructure indicates roughly 30,000 victim records have been processed.

Geographic analysis reveals that 68.6 percent of the targeted individuals and businesses are located in the United States.

Guardio Labs successfully traced the core of the operation to a Vietnamese threat actor through a critical operational security failure.

A Canva-generated PDF used in the third attack cluster retained its author metadata, exposing the real name “PHẠM TÀI TÂN”. Investigators connected this name to a public business persona in Vietnam that actively advertises Facebook account recovery and security services.

This reveals a circular criminal economy in which attackers steal valuable business assets, use them to run fraudulent campaigns, and then attempt to sell recovery services back to the original victims.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign appeared first on Cyber Security News.

Apple is reportedly developing a software fix for a frustrating iOS 26 bug that has left some users entirely locked out of their iPhones for months.

According to a recent report by The Register, Cupertino’s software engineers are scrambling to patch a keyboard interface flaw that inadvertently removed a specific special character necessary for unlocking devices configured with custom alphanumeric passcodes.

The issue first gained public attention when a 21-year-old university student, Connor Byrne, shared his predicament on Reddit.

As The Register reported, Byrne opted not to use the standard four- or six-digit PIN on his iPhone 13. Instead, he enhanced his device security by setting a complex, custom alphanumeric string as his primary passcode.

While cybersecurity professionals highly recommend complex passcodes to thwart brute-force attacks, Byrne’s specific password combination triggered an unexpected software trap.

He utilized the caron or háček (ˇ) symbol from the iPhone’s Czech keyboard layout. When Apple released iOS 26 to the general public in September 2025, the company unknowingly removed this specific character from the lock screen keyboard.

Without the ability to type the required symbol, Byrne was permanently locked out of his smartphone. The only native solution provided by the device was a full factory reset.

However, a reset would permanently erase months of valuable photographs and personal files stored locally on the device. Choosing to preserve his data, the user has remained locked out while waiting for a potential software patch.

Following the viral social media post, Apple’s internal engineering team reportedly began investigating the issue. The Register notes that Apple is now working on a targeted fix to restore the missing character, which is expected to roll out in an upcoming major iOS 26 release.

Interestingly, despite Apple’s engineers responding within 9 days after the issue surfaced online, the extended lockout has permanently damaged the user’s trust.

According to The Register, Byrne has decided to migrate to an Android device, specifically eyeing the Samsung Galaxy S26 Ultra.

He cited both the software quality assurance oversight, noting that the current keyboard’s flaws duplicate characters side-by-side, and a preference for alternative camera hardware. Apple has not yet issued an official public comment on the fix’s timeline.

• Backup Data Regularly: Always maintain up-to-date iCloud or physical backups. If a critical lock screen glitch occurs after an update, you can safely perform a factory reset without losing your data.
• Review Custom Passcodes: If you use a custom alphanumeric passcode, ensure it relies on standard characters that are universally available across different keyboard layouts to avoid getting locked out.
• Monitor Software Updates: Be cautious when adopting major operating system upgrades immediately upon release. As this incident highlights, unexpected interface bugs can temporarily sever device access.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Apple Works on Fix for iPhone Passcode Bug Linked to Missing Czech Keyboard Character appeared first on Cyber Security News.

Amidst the heated debate surrounding Anthropic’s recent announcement of its Mythos and Project Glasswing models, a security researcher has demonstrated the tangible cybersecurity implications of frontier AI.

Moving beyond theoretical warnings, the researcher successfully utilized Claude Opus to construct a fully functional exploit chain targeting Google Chrome’s complex V8 JavaScript engine.

The experiment highlights a persistent vulnerability in the modern software ecosystem: the patch gap. Many popular desktop applications built on the Electron framework, such as Discord, Notion, and Slack, bundle their own Chromium builds.

These bundled versions often lag weeks or months behind the upstream Chrome releases, leaving known vulnerabilities unpatched and exposing users to n-day exploits.

For this test, the researcher targeted the Discord desktop application, which was running on the outdated Chrome 138 engine.

Because Discord operates without a sandbox on its main window, the exploit required only two vulnerabilities to achieve a full chain, circumventing the need for a third dedicated sandbox escape.

Chaining the Vulnerabilities

Through a series of guided interactions, Claude Opus was tasked with developing an exploit using specific unpatched flaws. The AI successfully chained together two complex vulnerabilities to achieve Remote Code Execution (RCE):

• CVE-2026-5873: An out-of-bounds (OOB) read and write vulnerability in V8’s Turboshaft compiler for WebAssembly. Fixed in Chrome 147, this bug allowed the attacker to bypass bounds checks after tier-up compilation, enabling arbitrary memory manipulation within the V8 heap.
• V8 Sandbox Bypass: A Use-After-Free (UAF) flaw in the WebAssembly Code Pointer Table (WasmCPT). By corrupting the import dispatch table and exploiting type confusion, the exploit escaped the V8 sandbox entirely, granting full read and write access to the entire virtual address space.

Using these chained primitives, the model generated a payload capable of redirecting execution flows to the system’s dyld cache, ultimately launching arbitrary system commands on a macOS target.

Despite the impressive outcome, the process was far from fully autonomous. The researcher noted that Claude Opus required extensive human oversight, scaffolding, and operational management.

The AI frequently suffered from context collapse during long conversations, speculated on memory offsets instead of verifying them, and struggled to recover independently when stuck in logical loops.

Over the course of a week, the experiment consumed roughly 2.3 billion tokens across 1,765 requests, costing approximately $2,283 and requiring 20 hours of hands-on guidance.

The researcher had to continually feed the debugger (LLDB) back into the model to keep it on track, as reported by Hacktron AI.

Economic Reality and Future Threats

While the process was labor-intensive, the economics of AI-assisted exploitation are striking. Spending around $2,300 and a few days of effort to generate a reliable Chrome exploit is highly profitable when compared to commercial bug bounties, which frequently pay upwards of $10,000 for similar submissions, or the highly lucrative underground exploit market.

This experiment serves as a stark warning for the cybersecurity industry. While current models like Claude Opus still require expert babysitting to weaponize vulnerabilities, the technological trajectory is clear.

As next-generation models like Anthropic’s Mythos emerge with enhanced reasoning and coding capabilities, the barrier to generating sophisticated exploits will drop drastically.

Ultimately, the shrinking gap between automated exploit generation and slow vendor patching cycles threatens to empower less sophisticated threat actors to compromise vulnerable software at an unprecedented scale.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Researcher Uses Claude Opus to Build a Working Chrome Exploit Chain appeared first on Cyber Security News.

Freelance service platform Fiverr is facing a significant privacy incident after researchers discovered that sensitive customer files are publicly accessible and indexed by Google search.

According to a recent disclosure on Hacker News, an insecure file-hosting configuration has exposed personal identifiable information (PII), including completed tax forms, that were exchanged between freelancers and clients.

The Cloudinary Misconfiguration

The root of the data exposure lies in how Fiverr handles file sharing within its internal messaging system.

The platform relies on a third-party service called Cloudinary to process and host images and PDF documents, including final work products delivered to clients.

While Cloudinary operates similarly to an Amazon S3 digital storage bucket and supports secure, expiring web links, Fiverr reportedly configured the service incorrectly.

Instead of requiring authentication, Fiverr opted to generate fully public URLs for these sensitive attachments. Because these files were left open to the public, search engines like Google were able to crawl and index them.

This suggests that the public file links may have been exposed through unprotected HTML pages somewhere on Fiverr’s network.

The impact of this oversight is severe, as anyone can allegedly use specific Google search queries to surface private documents.

For example, running a site-specific search for “form 1040” on Fiverr’s Cloudinary domain instantly reveals private tax documents containing highly sensitive financial and personal data.

Interestingly, the researcher highlighted a troubling contradiction. Fiverr actively purchases Google Ads for tax preparation services, yet the platform fails to secure the resulting financial work products.

This exposure raises immediate regulatory concerns. By failing to lock down financial documents properly, the platform and its tax preparation freelancers could be in direct violation of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which mandate strict protections for consumer financial data.

The researcher who discovered the issue claims to have followed standard responsible disclosure protocols. A detailed vulnerability report was sent to Fiverr’s designated security team 40 days before the public release.

After receiving no response or remediation efforts from the company, the researcher opted to publish the findings on Hacker News to warn affected users.

Key Takeaways and Mitigations

Until Fiverr resolves this public exposure, users are at risk of identity theft and financial fraud. Both freelancers and clients should take immediate precautions:

• Halt sensitive transfers: Users should temporarily stop sending sensitive documents, such as tax forms or medical records, through Fiverr’s messaging system.
• Implement signed URLs: Fiverr must urgently update its Cloudinary integration to utilize signed, time-limited URLs for all user-to-user file transfers to ensure files expire after being downloaded.
• Request search de-indexing: The company needs to issue urgent takedown requests to Google to remove the exposed domain directories from public search results.
• Monitor for identity theft: Clients who purchased financial or tax preparation gigs on Fiverr should monitor their credit reports for unauthorized activity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Fiverr Allegedly Leaks User Information to Google Indexing, Researchers Say appeared first on Cyber Security News.

A new iteration of the notorious Mirai botnet, dubbed Nexcorium, has emerged in the wild, aggressively targeting internet-connected video recording devices.

According to recent threat research published by Fortinet’s FortiGuard Labs, threat actors are exploiting a known command injection vulnerability to hijack TBK DVR systems and construct a large-scale Distributed Denial-of-Service (DDoS) botnet.

Fortinet researchers report that the campaign specifically targets TBK DVR-4104 and DVR-4216 models by exploiting CVE-2024-3721. This OS command injection flaw allows attackers to deliver a downloader script by manipulating arguments within the device system.

During the exploitation phase, network traffic reveals a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic,” leading FortiGuard Labs to attribute the campaign to a relatively unknown threat actor identified as the “Nexus Team“.

Once the downloader script executes, it fetches multi-architecture payloads supporting ARM, MIPS, and x86-64 environments, subsequently displaying a console message stating “nexuscorp has taken control”.

Technical Capabilities and Infection Mechanisms

Fortinet’s analysis reveals that Nexcorium shares fundamental architecture with traditional Mirai variants, utilizing XOR-encoded configurations and modular components. The technical operation relies on several core mechanisms:

• Modular Architecture: The malware deploys standard Mirai features, including a watchdog module to distinguish sub-processes, a scanner for network propagation, and an attacker module for DDoS execution.
• Legacy Exploit Integration: To maximize its infection radius, Nexcorium incorporates the older CVE-2017-17215 vulnerability, which targets Huawei router devices.
• Aggressive Brute-Forcing: The malware launches Telnet-based brute-force attacks against other networked hardware using a hardcoded list of common and default credentials.
• Self-Preservation: Nexcorium verifies its own integrity using FNV-1a hashing algorithms; if the binary is altered or unreadable, it dynamically duplicates itself under a new filename to evade detection.

To maintain long-term access to compromised systems, the malware establishes persistence through four distinct mechanisms rather than relying on a single configuration file. The botnet secures its foothold by:

• Modifying /etc/inittab to ensure automatic process restarts if the malware is terminated.
• Updating /etc/rc.local to guarantee execution during the device’s system startup sequence.
• Creating a dedicated systemd service named persist.service for persistent background operation.
• Planting scheduled tasks via crontab for reliable post-reboot execution.

Following this extensive setup, Fortinet notes that Nexcorium deletes its original binary from the execution path to thwart security analysts.

The primary objective of the Nexus Team campaign is launching devastating DDoS attacks. Based on FortiGuard Labs’ decryption of the malware’s configuration table, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives.

Instead of a narrow attack scope, the botnet is equipped with a versatile arsenal of flood techniques. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors like VSE query floods and UDP blast attacks.

The discovery of Nexcorium highlights the continuous weaponization of legacy IoT devices. Security experts strongly advise organizations to immediately patch CVE-2024-3721, replace default manufacturer credentials, and isolate critical infrastructure from vulnerable IoT endpoints using network segmentation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations appeared first on Cyber Security News.

Google has officially rolled out End-to-End Encryption (E2EE) for the Gmail application on Android and iOS devices. This major update targets users utilizing Gmail client-side encryption.

It allows organizations to handle sensitive data confidentially directly from their smartphones or tablets. The feature ensures compliance with strict data sovereignty rules while keeping the workflow entirely mobile.

Users can now compose and read encrypted messages natively within the standard Gmail application. There is no longer a requirement to download third-party applications or log into separate secure email portals.

Client-side encryption means the data is scrambled before it ever reaches Google’s servers.

Google holds no keys to decrypt this information, preventing the company from reading your messages under any circumstances. Employees equipped with a proper license can seamlessly send these encrypted communications to anyone.

Seamless Cross-Platform Delivery

Google designed the delivery mechanism to be entirely frictionless for the person receiving the email. If the recipient uses the standard Gmail app, the encrypted message arrives and functions just like a typical email thread.

This creates a highly user-friendly experience that requires no technical knowledge from the receiver. The system also supports external communication, as outgoing encrypted messages are not restricted to Gmail users.

Guest recipients using alternative email services have a straightforward path to access the data. When a non-Gmail user receives the email, they can securely open, read, and reply using their default web browser.

This process authenticates their identity securely without requiring them to create a new account. Once verified, they can view the confidential text and download any encrypted attachments safely.

This eliminates the usual friction associated with sending protected documents to external vendors.

System administrators must take specific actions before employees can utilize these new mobile features. Admins need to log into the Workspace Admin Console and explicitly enable the mobile clients within the encryption interface.

Administrators maintain complete authority over the cryptographic keys and the identity providers used to authenticate users.

Once this backend configuration is complete, the process becomes effortless for end users. To secure a message, a user simply taps the lock icon while drafting an email and selects the additional encryption option.

Rollout and Availability Details

Requirement Type	Specific Details
Current Status	Available now.
Release Tracks	Rapid Release and Scheduled Release domains.
Required Tier	Enterprise Plus.
Required Add-on	Assured Controls or Assured Controls Plus.
Supported Platforms	Android and iOS Gmail applications.

This security update is currently live for eligible organizational accounts requiring the highest levels of data protection. The table below outlines the specific workspace requirements needed to access mobile end-to-end encryption.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Launches Gmail End-to-End Encryption for Android and iOS Users appeared first on Cyber Security News.

Google officially announced the public rollout of Device Bound Session Credentials (DBSC) for Windows users on Chrome 146.

According to the Google Account Security and Chrome teams, this major security update aims to eliminate session hijacking, a primary method for attackers to compromise user accounts.

The feature will also expand to macOS in an upcoming release, marking a critical industry shift from reactive threat detection to proactive prevention.

The Threat of Cookie Exfiltration

Session theft typically happens when a user accidentally downloads infostealing malware, such as the LummaC2 family. Once inside a system, the malware hunts for existing session cookies stored in the browser’s local files.

Because authentication cookies often stay valid for long periods, threat actors can steal them to bypass passwords entirely. Historically, stopping malware from reading browser memory using only software was nearly impossible, forcing security teams to rely on complex detection methods after a breach had already occurred.

DBSC fundamentally changes web security by tying an authentication session to a user’s physical device. The protocol relies on hardware-backed security modules, like the Trusted Platform Module (TPM) on Windows or the Secure Enclave on Apple devices.

When a user logs in, the hardware generates a unique public-private key pair. Crucially, the private key can never be exported from the machine. Websites that upgrade their backends to support DBSC issue short-lived cookies, and Chrome must constantly prove it holds the private key to refresh them.

If a hacker steals the session cookies, the credentials quickly expire and become useless because the attacker lacks the victim’s physical hardware key. Web developers can implement this seamlessly, as the browser handles the complex cryptography in the background.

Despite its strict device-binding capabilities, DBSC was built with rigorous privacy controls. The protocol uses a completely separate key for every session.

This ensures websites cannot use the technology to track users across different sites or correlate browsing activities. Furthermore, it only shares the minimum data required to prove possession, preventing the tool from being abused for device fingerprinting.

Google developed DBSC as an open web standard alongside the W3C Web Application Security Working Group, partnering closely with Microsoft and conducting trials on platforms such as Okta. Looking ahead, Google plans to expand DBSC capabilities to secure federated identity and Single Sign-On (SSO) environments for enterprises.

The team is also developing advanced registration options to bind sessions to existing hardware security keys, and exploring software-based key support to protect devices that lack physical security hardware.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Unveils Device-Bound Chrome Sessions in Anti-Cookie-Theft Move appeared first on Cyber Security News.

In recent years, Endpoint Detection and Response (EDR) killers have become a standard, highly effective weapon in modern ransomware intrusions. Before launching their file-encrypting malware, cybercriminals routinely deploy specialized tools to bypass security software.

According to a comprehensive new report by ESET Research, the threat landscape has grown far beyond the well-known Bring Your Own Vulnerable Driver (BYOVD) technique.

Attackers are now heavily using driverless methods, custom command-line scripts, and legitimate anti-rootkit utilities to turn off security defenses.

Why Attackers Prefer EDR Killers

Instead of constantly rewriting and updating ransomware encryptors to avoid security detection, threat actors find it much easier to turn off the security software first.

EDR killers provide a highly reliable, low-cost solution that gives attackers a predictable window to run their inherently noisy encryption payloads.

Interestingly, ESET notes that ransomware affiliates, rather than the core ransomware-as-a-service operators, usually choose which EDR-killer to deploy in an attack.

This dynamic creates massive tooling diversity in the wild, as different affiliates mix and match various EDR killers to suit their specific intrusion needs and skill levels.

While exploiting vulnerable kernel drivers through BYOVD remains the dominant method, the technology behind EDR killers is rapidly expanding.

ESET researchers are currently tracking almost 90 EDR killers actively used in the wild, 54 of which rely on BYOVD to exploit 35 different vulnerable drivers.

Some low-skilled attackers rely on basic command scripts or rebooting the system into Windows Safe Mode to bypass security measures. More sophisticated affiliates weaponize legitimate anti-rootkit programs, such as GMER and PC Hunter.

These tools were originally built to remove deep-kernel malware, but their elevated privileges make them ideal weapons for terminating active security processes.

A growing and dangerous trend is the use of driverless EDR killers. Tools like EDRSilencer and EDR-Freeze do not need to interact with the system kernel at all.

Instead, they block network communication between the endpoint and the security backend, or they force the EDR software to freeze in place. Because these methods do not rely on traditional driver vulnerabilities, they are much harder for network defenders to detect.

The ESET investigation categorized the developers of these tools into three main groups. First, closed groups, such as Embargo, DeadLock, and Warlock, develop their own proprietary EDR killers from scratch.

Researchers strongly suspect that groups like Warlock are using Artificial Intelligence to assist with writing and updating their EDR killer code.

Second, many attackers modify publicly available proof-of-concept (PoC) code. Open repositories offer ready-to-use templates that attackers easily tweak by changing the programming language or adding simple code obfuscation.

Finally, a booming underground market now offers “EDR killer as a service”. Commercial tools are actively sold on dark web forums to affiliates of major ransomware gangs, complete with customer support.

Because these tools are heavily traded and shared, cybersecurity defenders face a major challenge. Analyzing a specific vulnerable driver is no longer enough to identify a specific ransomware gang.

Completely unrelated tools might abuse the same driver, and a single threat group might switch between multiple drivers in different attacks.

As the EDR killer market continues to mature and commercialize, organizations must focus on detecting the behavioral signs of security tampering rather than just tracking specific vulnerable drivers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ransomware Gangs Expand Use of EDR Killers Beyond Vulnerable Drivers, ESET Warns appeared first on Cyber Security News.

A single threat actor compromised nine Mexican government agencies and stole hundreds of millions of citizen records in a highly sophisticated cyberattack.

The campaign, which ran from late December 2025 through mid-February 2026, highlights a dangerous shift in the modern threat landscape.

Researchers at Gambit Security recently released a full technical report detailing how the attacker relied on two major commercial artificial intelligence platforms. The publication was initially delayed to allow the affected agencies time to complete their incident response efforts.

AI Models Power the Breach

The attacker used Anthropic’s Claude Code and OpenAI’s GPT-4.1 not just for planning, but as core operational tools that drastically accelerated the attack.

According to forensic evidence recovered, Claude Code generated and executed approximately 75% of all remote commands during the intrusion.

Across 34 active sessions on live victim infrastructure, the hacker logged 1,088 individual prompts. These prompts translated into 5,317 AI-executed commands, demonstrating how deeply the AI was integrated into the exploitation phase.

Simultaneously, the attacker leveraged OpenAI’s GPT-4.1 for rapid reconnaissance and data processing. The hacker developed a custom 17,550-line Python script designed to pipe raw data harvested from compromised servers directly through the OpenAI API.

This automated system analyzed information across 305 internal servers, rapidly producing 2,597 structured intelligence reports. By automating the data analysis phase, a single operator successfully processed an intelligence volume that would traditionally require an entire team.

The integration of artificial intelligence allowed the attacker to turn unfamiliar networks into mapped targets in hours rather than days. Recovered materials showed the attacker possessed over 400 custom attack scripts.

Furthermore, the hacker used AI to quickly develop 20 tailored exploits targeting 20 specific Common Vulnerabilities and Exposures (CVEs). This high-speed capability compressed the attack timeline, allowing the threat actor to operate well below standard detection and response windows.

Despite the advanced methods used in the campaign, the actual vulnerabilities exploited were highly conventional. The targeted government agencies had basic security gaps that enabled the attacker to gain initial access and move laterally.

The underlying issues were addressable through standard security controls, highlighting a severe accumulation of technical debt within mission-critical infrastructure.

While artificial intelligence has significantly lowered the cost and complexity of executing widespread cyberattacks, the defense strategy remains rooted in foundational security practices.

Organizations must urgently address unpatched software and implement strict credential rotation policies. Enforcing network segmentation is also critical to restrict lateral movement once a perimeter is breached.

Finally, deploying robust endpoint detection and response tools is necessary to identify these rapidly compressed attack timelines before data exfiltration occurs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hacker Uses Claude and ChatGPT to Breach Multiple Government Agencies appeared first on Cyber Security News.

The cybersecurity community is on high alert following a massive source code leak from Anthropic. On March 31, 2026, the company accidentally exposed the complete source code for Claude Code, its flagship terminal-based coding assistant.

The leak occurred due to a packaging error in a public npm package, which inadvertently included a JavaScript source map file containing over half a million lines of unobfuscated TypeScript. While the exposed data did not include model weights or user data, it did reveal highly sensitive internal mechanisms.

Almost immediately after security researcher Chaofan Shou publicly disclosed the incident on social media, the codebase was mirrored across GitHub and forked tens of thousands of times.

The widespread availability of the proprietary code has created a massive vector for supply chain attacks. Cybercriminals are now actively weaponizing this incident, creating malicious forks designed to compromise developer workstations.

Zscaler ThreatLabz researchers recently discovered a highly deceptive campaign leveraging the leak as a social engineering lure to target developers seeking access to the source code.

Delivering Vidar and GhostSocks Malware

In this newly discovered campaign, attackers have established malicious GitHub repositories that masquerade as the authentic leaked repository.

One prominent page, published by a threat actor named idbzoomh, currently ranks near the top of search engine results for users attempting to find the files.

The repository promises an unlocked version of the enterprise software featuring no usage limits. Instead of legitimate code, the provided zip archive contains a Rust-based dropper executable.

Upon execution, this dropper deploys the Vidar information stealer to siphon sensitive credentials and GhostSocks to proxy network traffic.

This deployment of GhostSocks closely mirrors previously observed campaigns where threat actors utilized fake software installers to distribute network proxies alongside data-stealing malware.

The exposure of these internal components presents severe risks that extend far beyond simple social engineering lures. The leaked files reveal complex orchestration details, permission execution layers, persistent memory systems, and dozens of hidden internal feature flags.

Because the original codebase includes advanced capabilities for local shell execution and auto-executing scripts, threat actors possessing the full source can easily craft precise exploits.

Attackers can potentially trigger silent device takeovers or credential theft simply by tricking a developer into cloning an untrusted repository or opening a specially crafted project file.

Mitigation and Defense Strategies

Organizations must implement immediate defensive measures to protect their development environments from these opportunistic attacks.

Security teams should strongly advise all developers against downloading, building, or running any code claiming to be the leaked Anthropic software. Relying strictly on official channels and signed binaries is essential for maintaining integrity.

Furthermore, implementing a Zero Trust architecture and segmenting access to critical applications will help limit the potential blast radius if a developer workstation becomes compromised.

Monitoring for anomalous outbound network connections and scanning local environments for unexpected npm packages are critical steps for identifying early signs of infection.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware appeared first on Cyber Security News.

A highly coordinated social engineering campaign is actively targeting top open-source developers in the Node.js and npm ecosystem.

Following the recent compromise of the popular package Axios, which sees over 100 million weekly downloads, several high-impact software maintainers have reported similar attacks.

Security researchers believe this is a strategic shift by advanced threat actors aiming to secretly poison the global software supply chain.

The attackers are hunting developers who maintain foundational JavaScript tools. Targeted individuals include the creators and maintainers of widely used packages like WebTorrent, Lodash, Fastify, and dotenv. Together, these essential tools are downloaded billions of times every single month by companies worldwide.

Socket engineers, including CEO Feross Aboukhadijeh, and Node.js Technical Steering Committee Chair Matteo Collina, confirmed they were recently targeted. Collina noted the attackers posed as a legitimate company doing outreach.

Aboukhadijeh stated that these highly sophisticated attacks against individual maintainers are becoming the new normal and are accelerating rapidly across the ecosystem.

A Patient and Deceptive Playbook

Unlike standard, easy-to-spot phishing emails, this operation takes weeks to execute. Security researcher Tay links these attacks to a North Korean threat group known as UNC1069.

According to her analysis, the hackers are extremely patient and deliberate in their approach to open-source developers.

They reach out on professional platforms like LinkedIn or Slack, using fake personas from spoofed companies like “Openfort.” Developers like Pelle Wessman and Jean Burellier reported being invited to private Slack channels and pushed to join podcast interviews.

The attackers build trust over time, scheduling and even rescheduling calls to appear entirely normal and disarming.

The trap is finally set during the scheduled video call. Hackers send a link to a fake meeting platform built to look exactly like Microsoft Teams or Streamyard.

When the victim joins, the site fakes an audio failure. To “fix” the problem, the site urges the developer to download an application or run a simple command in their terminal. This action triggers the actual attack.

Bypassing Modern Security

If the developer falls for the trick, the download instantly installs a hidden Remote Access Trojan (RAT). This dangerous malware silently collects sensitive data from the victim’s computer.

It steals browser cookies, cloud credentials, password keychains, and active developer tokens, then contacts the hackers every sixty seconds for new instructions.

Because the malware steals active session data, standard two-factor authentication provides no real defense. The attackers bypass login screens completely.

This gives them immediate, full control to publish code directly to the npm registry. Even advanced publishing hygiene cannot stop a compromised machine.

Historically, this specific hacking group targeted cryptocurrency founders to steal digital money. Now, they have pivoted to open-source software.

Instead of hacking targets one by one, compromising a single popular npm package allows them to reach millions of users at once through automated updates.

Security experts are urging the open-source community to stay alert and support one another without victim-blaming.

The attacks are highly convincing, and anyone could be tricked on a busy day. As these advanced threats grow, the safety of modern applications depends heavily on protecting the developers who build our foundational code.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Top Node.js Maintainers Targeted in Sophisticated Social Engineering Scheme appeared first on Cyber Security News.

A sophisticated supply chain attack targeting the official Trivy GitHub Action (aquasecurity/trivy-action) has compromised continuous integration and continuous deployment (CI/CD) pipelines globally.

Disclosed in late March 2026, this incident marks the second distinct compromise affecting the Trivy ecosystem within a single month.

Threat actors successfully force-pushed 75 out of 76 existing version tags to distribute a malicious infostealer. With over 10,000 GitHub workflow files relying on this action, the potential credential theft blast radius is massive.

Mechanics of the Tag Poisoning Attack

Instead of pushing code to a branch or creating a new release, the attacker leveraged residual write access from an earlier credential breach to alter existing version tags silently.

The threat actor force-pushed 75 tags, including widely used versions like @0.33.0 and @0.18.0, to point to newly forged commits.

This effectively turned trusted and supposedly immutable version references into a direct distribution mechanism for their custom infostealer malware.

By completely bypassing the need to create new releases, the attacker minimized the chances of triggering automated security alerts or notifying project maintainers of unauthorized branch updates.

To evade detection, the attacker spoofed the Git commit metadata. They cloned the original author names, dates, and commit messages to make the malicious commits appear legitimate in the repository logs.

The modified code used the current master file tree but swapped the legitimate entrypoint.sh file with an infected version.

Because the malicious commit dates conflicted with the March 2026 parent commit, and the commits lacked GitHub’s web-flow GPG signature, careful inspection reveals the forgery. Notably, version @0.35.0 remained untouched and is the only safe tag.

The injected 204-line entrypoint.sh script executes its malicious operations before running the legitimate Trivy scan, allowing it to hide in plain sight.

According to Socket, the infostealer operates in three distinct stages: targeted collection, robust encryption, and stealthy exfiltration.

During the collection phase, the malware targets both GitHub-hosted and self-hosted runners. On GitHub-hosted Linux environments, it uses passwordless sudo privileges to dump the Runner.Worker process memory and extract secrets directly from the heap.

On self-hosted runners, a comprehensive Python script scrapes the filesystem for sensitive data across multiple directories.

This script systematically hunts for SSH keys, database credentials, CI/CD configuration files, and even cryptocurrency wallet data, ensuring an extensive haul of valuable information.

In the second stage, the stolen data is compressed and encrypted using AES-256-CBC, and the encryption key is wrapped with an RSA-4096 public key.

Finally, the malware attempts to exfiltrate the encrypted bundle via an HTTPS POST request to a typosquatted domain, scan[.]aquasecurtiy[.]org.

If this primary channel fails, the script uses the victim’s own GitHub Personal Access Token to create a public repository named tpcp-docs and uploads the stolen data as a release asset.

The malware self-identifies as the “TeamPCP Cloud stealer”. Security researchers track TeamPCP as a cloud-native threat actor known for exploiting misconfigured infrastructure for ransomware and cryptomining operations.

Target Category	Specific Files and Variables Hunted
SSH and Git	id_rsa, authorized_keys, .git-credentials
Cloud Providers	AWS_*, AZURE_*, ~/.config/gcloud/*
CI/CD and Docker	terraform.tfstate, .docker/config.json
Environment Files	.env, .env.production, .env.local
Crypto Wallets	wallet.dat, validator-keypair.json

Organizations must immediately stop referencing trivy-action by version tags, with the exception of @0.35.0. To ensure complete security, pipelines should pin the action to the specific safe commit SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1).

Any environment that executed a poisoned tag must be considered fully compromised. Security teams should urgently rotate all exposed secrets, including cloud credentials and API tokens.

Additionally, administrators should audit their GitHub organizations for unauthorized tpcp-docs repositories.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Compromise Trivy Scanner to Inject malicious Scripts and Steal Login Credentials appeared first on Cyber Security News.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released a joint cybersecurity advisory regarding a widespread phishing campaign.

The alert warns that Russian Intelligence Services are actively targeting users of encrypted messaging applications, primarily Signal.

The attackers are bypassing the platform’s robust end-to-end encryption by hijacking user accounts rather than compromising the underlying cryptographic protocols.

FBI, CISA Warn Russian Hackers

This cyber espionage campaign is meticulously designed to compromise individuals who possess high intelligence value.

The threat actors are specifically targeting current and former United States government officials, military personnel, influential political figures, and prominent journalists.

According to the intelligence agencies, the operation has already resulted in the unauthorised access of thousands of accounts on a global scale.

Because Signal’s core encryption remains secure, hackers rely entirely on deceptive social engineering techniques to trick victims into surrendering control of their profiles.

The attackers initiate contact by sending in-app messages that impersonate official automated support channels. These fraudulent profiles often use authoritative names such as “Signal Security Support ChatBot” or “Signal Security Team” to appear legitimate.

To manipulate the victims, the messages artificially manufacture a sense of urgency. They falsely claim that the user’s account has experienced a data leak, or that suspicious login attempts were detected from foreign locations and unrecognized devices.

The messages then instruct the target to complete a mandatory verification procedure to secure their account by handing over their SMS verification code or scanning a malicious QR code.

When a victim inadvertently shares their verification code, the attackers exploit the application’s linked device feature. This allows the hackers to tether their own hardware to the compromised account without raising immediate alarms.

Once inside, the threat actors gain the ability to silently monitor private conversations, read historical messages, and infiltrate private group chats.

Furthermore, they can harvest contact lists and impersonate the victim to launch secondary phishing campaigns against trusted colleagues.

Recommended Mitigations

To defend against these sophisticated account takeover attempts, the FBI and CISA urge users to implement strict security hygiene and vigilance.

• Protect your accounts by never sharing verification codes or personal PINs with anyone, since legitimate support staff will never request authentication codes through direct messages.
• Treat unexpected security alerts with extreme caution, and never scan unsolicited QR codes or click unverified links sent by unknown contacts.
• Frequently audit the linked devices menu within the application settings to immediately spot and disconnect any unauthorized hardware.
• Turn on the disappearing messages feature to automatically purge highly sensitive conversations after a specified time limit, minimizing the data available if an account is compromised.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FBI, CISA Warn Russian Hackers Are Targeting High-Value Individuals Through Signal appeared first on Cyber Security News.