Two recent cybersecurity incidents involving financial services providers have exposed the personal information of millions of individuals, highlighting ongoing risks across the fintech and credit reporting ecosystem. The larger of the two incidents involves Prosper Marketplace cybersecurity incident, confirmed last week by the San Francisco-based fintech company. Prosper disclosed that 13.1 million people were affected after unauthorized activity was discovered on its systems on September 1, 2025. A subsequent investigation revealed that attackers accessed data between June and August 2025.

Prosper Marketplace Cybersecurity Incident Details

In its official notice, Prosper stated, "On September 1, 2025, Prosper discovered unauthorized activity on our systems. We acted quickly to stop the activity and enhance our security measures, and we began working with a leading cybersecurity firm to investigate what happened." While Prosper emphasized that there was no evidence of unauthorized access to customer accounts or funds, attackers were able to obtain a wide range of sensitive personal and financial data. The exposed information includes names, Social Security numbers, national ID numbers, dates of birth, bank account numbers, Prosper account numbers, financial application details, driver’s license numbers, passports, tax information, and payment card numbers. Regulatory filings show the scale of the exposure across states, with more than 1.1 million affected individuals in Texas, 236,000 in South Carolina, and 249,000 in Washington state. Prosper said it has begun notifying affected individuals and is offering two years of credit monitoring and identity restoration services through Experian. The company also confirmed that law enforcement was notified about cybersecurity incidents, and additional security and monitoring controls have been deployed. Founded in 2005, Prosper is best known for its peer-to-peer lending platform, through which more than 2 million customers have borrowed over $28 billion in personal loans. The company also offers home equity loans, lines of credit, and credit card products.

700Credit Security Incident Impacts Over 5.8 Million People

In a separate cybersecurity incident, Michigan-based 700Credit data exposure affected 5,836,521 individuals, according to a notice issued on Friday. The incident was discovered on October 25, 2025, when the company’s IT team identified unauthorized access to its systems. 700Credit provides credit reports, compliance solutions, identity verification, and fraud detection services to car dealerships across the U.S. The company said attackers made copies of data stored within its systems. The compromised information includes names, Social Security numbers, dates of birth, and physical addresses. Following the incident, 700Credit confirmed it will file a consolidated breach notice with the FTC on behalf of its affected dealership clients, after receiving approval from the agency. “We timely notified the FBI and the FTC and confirmed with the FTC that 700Credit’s filing on behalf of all dealers is sufficient to meet dealer obligations to notify the FTC.  In addition, we will be notifying State AG offices on behalf of dealers.  Impacted consumers will also be notified and offered credit monitoring services and assistance they may need. 700Credit has also been working directly with NADA,” the company said in a notice. As a result, dealers are not required to file separate FTC breach notifications related to this incident. However, dealers are still responsible for complying with state-level breach notification requirements, which remain unaffected by the FTC’s decision. Dealers have been advised to consult legal counsel to ensure compliance with applicable state laws.

Financial Services Sector Faces Rising Cybersecurity Incidents

The Prosper and 700Credit incidents come just weeks after a cyberattack on SitusAMC, a company used by major banks for real estate loan and mortgage services. That incident, discovered on November 12, 2025, involved stolen accounting records and legal agreements. Together, these cybersecurity incidents emphasise a growing trend: financial services providers and fintech companies are increasingly targeted for the volume and sensitivity of data they hold. While no threat actor has publicly claimed responsibility for either the Prosper Marketplace or 700Credit incidents, the scale of exposure raises concerns about identity theft, financial fraud, and long-term consumer risk. Both companies have urged affected individuals to remain vigilant, monitor their credit reports, and report any suspicious activity.

India's Central Bureau of Investigation uncovered and disrupted a large-scale cyber fraud infrastructure, which it calls a "phishing SMS factory," that sent lakhs of smishing messages daily across the country to trick citizens into fake digital arrests, loan scams, and investment frauds.

The infrastructure that was operated by a registered company, M/s Lord Mahavira Services India Pvt. Ltd., used an online platform to control approximately 21,000 SIM cards that were obtained by violating the Department of Telecommunications rules.

The organized cyber gang operating from Northern India provided bulk SMS services to cybercriminals including foreign operators targeting Indian citizens. The CBI arrested three individuals associated to the cyber gang as part of the broader Operation Chakra-V, which is focused on breaking the backbone of cybercrime infrastructure in India.

The investigation began when CBI studied the huge volume of fake SMS messages people receive daily that often lead to serious financial fraud. Working closely with the Department of Telecommunications and using information from various sources including the highly debated Sanchar Saathi portal, investigators identified the private company allegedly running the "phishing SMS factory.

Active System Seized

CBI conducted searches at several locations of North India including Delhi, Noida, and Chandigarh, where it discovered a completely active system used for sending phishing messages. The infrastructure included servers, communication devices, USB hubs, dongles, and thousands of SIM cards operating continuously to dispatch fraud messages.

The messages offered fake loans, investment opportunities, and other financial benefits aimed at stealing personal and banking details from innocent people. The scale of operations enabled lakhs of fraud messages to be distributed every day across India.

Telecom Channel Partner Involvement

Early findings of the investigations suggested an involvement of certain channel partners of telecom companies and their employees who helped illegally arrange SIM cards for the fraudulent operations. This insider facilitation allowed the gang to obtain the massive quantity of SIM cards despite telecommunications regulations designed to prevent such accumulation.

The 21,000 SIM cards were controlled through an online platform specifically designed to send bulk messages, the CBI said.

Digital Evidence and Cryptocurrency Seized

CBI also seized important digital evidence, unaccounted cash, and cryptocurrency during the operation. The seizures provide investigators with critical data to trace financial flows, identify additional conspirators, and understand the full scope of the fraud network's operations.

The discovery that foreign cyber criminals were using this service to cheat Indian citizens highlights the transnational nature of the operation, with domestic infrastructure being leveraged by overseas fraudsters to target vulnerable Indians.

Operation Chakra-V Targets Infrastructure

The dismantling of this phishing SMS factory demonstrates CBI's strategy under Operation Chakra-V to attack the technical backbone of organized cybercrime rather than merely arresting individual fraudsters. By disrupting the infrastructure enabling mass fraud communications, authorities aim to prevent thousands of potential victims from receiving deceptive messages.

As part of Operation Chakra-V crackdown, on Sunday, CBI also filed charges against 17 individuals including four likely Chinese nationals and 58 companies for their alleged involvement in a transnational cyber fraud network operating across multiple Indian states.

CBI said a single cybercrime syndicate was behind this extensive digital and financial infrastructure that has already defrauded thousands of Indians worth more than ₹1,000 crore. The operators used misleading loan apps, fake investment schemes, Ponzi and MLM models, fake part-time job offers, and fraudulent online gaming platforms for carrying out the cyber fraud. Google advertisements, bulk SMS campaigns, SIM-box based messaging systems, cloud infrastructure, fintech platforms and multiple mule bank account were all part of the modus operandi of this cybercriminal network. Earlier last week, the CBI had filed similar charges against 30 people including two Chinese nationals who ran shell companies and siphoned money from Indian investors through fake cryptocurrency mining platforms, loan apps, and fake online job offers during the COVID-19 lockdown period.

Read: CBI Files Chargesheet Against 30 Including Two Chinese Nationals in ₹1,000 Cr Cyber Fraud Network

SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data. “SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”  Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident. 

DoS Follows Initial SoundCloud Cyberattack

According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.  SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform. 

Scope of Exposed Data and User Impact 

While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.  “We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”  Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach.   Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.  SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said. 

Security Response and Ongoing Connectivity Issues 

The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.  Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.  “We are actively working to resolve these VPN related access issues,” the company said. 

PornHub is facing renewed scrutiny after confirming that some Premium users’ activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. On December 12, 2025, PornHub published a security notice confirming that a cyberattack on Mixpanel led to the exposure of historical analytics data, affecting a limited number of Premium users. According to PornHub, the compromised data included search and viewing history tied to Premium accounts, which has since been used in extortion attempts attributed to the ShinyHunters extortion group. “A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” the company stated in its notice dated December 12, 2025.  PornHub stresses that the incident did not involve a compromise of its own systems and that sensitive account information remained protected.  “Specifically, this situation affects only select Premium users. It is important to note that this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”  According to PornHub, the affected records are not recent. The company said it stopped working with Mixpanel in 2021, indicating that any stolen data would be at least four years old. Even so, the exposure of viewing and search behavior has raised privacy concerns, particularly given the stigma and personal risk that can accompany such information if misused. 

Mixpanel Smishing Attack Triggered Supply-Chain Exposure 

The root of the incident was a PornHub cyberattack by proxy, a supply-chain compromise. Mixpanel disclosed on November 27, 2025, that it had suffered a breach earlier in the month. The company detected the intrusion on November 8, 2025, after a smishing (SMS phishing) campaign allowed threat actors to gain unauthorized access to its systems. Mixpanel CEO Jen Taylor addressed the incident in a public blog post, stressing transparency and remediation.  “On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes,” Taylor wrote. “We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”  Mixpanel said the breach affected only a “limited number” of customers and that impacted clients were contacted directly. The company outlined an extensive response that included revoking active sessions, rotating compromised credentials, blocking malicious IP addresses, performing global password resets for employees, and engaging third-party forensic experts. Law enforcement and external cybersecurity advisors were also brought in as part of the response. 

OpenAI and PornHub Among Impacted Customers 

PornHub was not alone among Mixpanel’s customers caught up in the incident. OpenAI disclosed on November 26, 2025, one day before Mixpanel’s public announcement, that it, too, had been affected. OpenAI clarified that the incident occurred entirely within Mixpanel’s environment and involved limited analytics data related to some API users.  “This was not a breach of OpenAI’s systems,” the company said, adding that no chats, API requests, credentials, payment details, or government IDs were exposed. OpenAI noted that it uses Mixpanel to manage web analytics on its API front end.  PornHub denoted a similar assurance in its own disclosure, stating that it had launched an internal investigation with the support of cybersecurity experts and had engaged with relevant authorities. “We are working diligently to determine the nature and scope of the reported incident,” the company said, while urging users to remain vigilant for suspicious emails or unusual activity.  Despite those assurances, the cyberattack on PornHub, albeit indirect, has drawn attention due to the sensitive nature of the exposed data and the reported extortion attempts now linked to it. 

PornHub Data Breach Comes Amid Expanding U.S. Age-Verification Laws 

The PornHub data breach arrives at a time when the platform is already under pressure from sweeping age-verification laws across the United States. PornHub is currently blocked in 22 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. These restrictions stem from state laws requiring users to submit government-issued identification or other forms of age authentication to access explicit content.  Louisiana was the first state to enact such a law, and others followed after the U.S. Supreme Court ruled in June that Texas’s age-verification statute was constitutional. Although PornHub is not blocked in Louisiana, the requirement for ID verification has had a significant impact. Aylo, PornHub’s parent company, said that the traffic in the state dropped by approximately 80 percent after the law took effect.  Aylo has repeatedly criticized the implementation of these laws. “These people did not stop looking for porn. They just migrated to darker corners of the internet that don’t ask users to verify age, that don’t follow the law, that don’t take user safety seriously,” the company said in a statement.  Aylo added that while it supports age verification in principle, the current approach creates new risks. Requiring large numbers of adult websites to collect highly sensitive personal information, the company argued, puts users in danger if those systems are compromised.

For years, data privacy in India lived in a grey zone. Mobile numbers demanded at checkout counters. Aadhaar photocopies lying unattended in hotel drawers. Marketing messages that arrived long after you stopped using a service. Most of us accepted this as normal, until the law caught up.  That moment has arrived.  The Digital Personal Data Protection Act (DPDP Act), 2023, backed by the Digital Personal Data Protection Rules, 2025 notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025, marks a decisive shift in how personal data must be treated in India. As the country heads into 2026, businesses are entering the most critical phase: execution.  Companies now have an 18-month window to re-engineer systems, processes, and accountability frameworks across IT, legal, HR, marketing, and vendor ecosystems. The change is not cosmetic. It is structural.  As Sandeep Shukla, Director, International Institute of Information Technology Hyderabad (IIIT Hyderabad), puts it bluntly: 

“Well, I can say that Indian Companies so far has been rather negligent of customer's privacy. Anywhere you go, they ask for your mobile number.” 

The DPDP Act is designed to ensure that such casual indifference to personal data does not survive the next decade.  Below are eight fundamental ways the DPDP Act will change how Indian companies handle data in 2026, with real-world implications for businesses, consumers, and the digital economy.

1. Privacy Will Movefromthe Back Office to the Boardroom 

Until now, data protection in Indian organizations largely sat with compliance teams or IT security. That model will not hold in 2026.  The DPDP framework makes senior leadership directly accountable for how personal data is handled, especially in cases of breaches or systemic non-compliance. Privacy risk will increasingly be treated like financial or operational risk. 

According to Shashank Bajpai, CISO & CTSO at YOTTA, “The DPDP Act (2023) becomes operational through Rules notified in November 2025; the result is a staggered compliance timetable that places 2026 squarely in the execution phase. That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress.” 

In 2026, privacy decisions will increasingly sit with boards, CXOs, and risk committees. Metrics such as consent opt-out rates, breach response time, and third-party risk exposure will become leadership-level conversations, not IT footnotes.

2. Consent Will Become Clear, Granular, and Reversible

One of the most visible changes users will experience is how consent is sought.  Under the DPDP Act, consent must be specific, informed, unambiguous, and easy to withdraw. Pre-ticked boxes and vague “by using this service” clauses will no longer be enough. 

As Gauravdeep Singh, State Head (Digital Transformation), e-Mission Team, MeitY, explains, “Data Principal = YOU.” 

Whether it’s a food delivery app requesting location access or a fintech platform processing transaction history, individuals gain the right to control how their data is used—and to change their mind later.

3. Data Hoarding Will Turnintoa Liability 

For many Indian companies, collecting more data than necessary was seen as harmless. Under the DPDP Act, it becomes risky.  Organizations must now define why data is collected, how long it is retained, and how it is securely disposed of. If personal data is no longer required for a stated purpose, it cannot simply be stored indefinitely. 

Shukla highlights how deeply embedded poor practices have been, “Hotels take your aadhaar card or driving license and copy and keep it in the drawers inside files without ever telling the customer about their policy regarding the disposal of such PII data safely and securely.” 

In 2026, undefined retention is no longer acceptable.

4. Third-Party Vendors Will Come Under the Scanner

Data processors like cloud providers, payment gateways, CRM platforms, will no longer operate in the shadows.  The DPDP Act clearly distinguishes between Data Fiduciaries (companies that decide how data is used) and Data Processors (those that process data on their behalf). Fiduciaries remain accountable, even if the breach occurs at a vendor.  This will force companies to: 

• Audit vendors regularly 

• Rewrite contracts with DPDP clauses 

• Monitor cross-border data flows 

As Shukla notes, “The shops, E-commerce establishments, businesses, utilities collect so much customer PII, and often use third party data processor for billing, marketing and outreach. We hardly ever get to know how they handle the data.” 

In 2026, companies will be required to audit vendors, strengthen contracts, and ensure processors follow DPDP-compliant practices, because liability remains with the fiduciary.

5. Breach Response Will Be Timed, Tested, and Visible

Data breaches are no longer just technical incidents, they are legal events.  The DPDP Rules require organizations to detect, assess, and respond to breaches with defined processes and accountability. Silence or delay will only worsen regulatory consequences. 

As Bajpai notes, “The practical effect is immediate: companies must move from policy documents to implemented consent systems, security controls, breach workflows, and vendor governance.” 

Tabletop exercises, breach simulations, and forensic readiness will become standard—not optional. 

6. SignificantData Fiduciaries (SDFs) Will Face Heavier Obligations 

Not all companies are treated equally under the DPDP Act. Significant Data Fiduciaries (SDFs)—those handling large volumes of sensitive personal data, will face stricter obligations, including: 

• Data Protection Impact Assessments 

• Appointment of India-based Data Protection Officers 

• Regular independent audits 

Global platforms like Meta, Google, Amazon, and large Indian fintechs will feel the pressure first, but the ripple effect will touch the entire ecosystem.

7. A New Privacy Infrastructure Will Emerge

The DPDP framework is not just regulation—it is ecosystem building. 

As Bajpai observes, “This is not just regulation; it is an economic strategy to build domestic capability in cloud, identity, security and RegTech.” 

Consent Managers, auditors, privacy tech vendors, and compliance platforms will grow rapidly in 2026. For Indian startups, DPDP compliance itself becomes a business opportunity.

8. Trust Will Become a Competitive Advantage

Perhaps the biggest change is psychological. In 2026, users will increasingly ask: 

• Why does this app need my data? 

• Can I withdraw consent? 

• What happens if there’s a breach? 

One Reddit user captured the risk succinctly, “On paper, the DPDP Act looks great… But a law is only as strong as public awareness around it.” 

Companies that communicate transparently and respect user choice will win trust. Those that don’t will lose customers long before regulators step in. 

Preparing for 2026: From Awareness to Action 

As Hareesh Tibrewala, CEO at Anhad, notes, “Organizations now have the opportunity to prepare a roadmap for DPDP implementation.”

For many businesses, however, the challenge lies in turning awareness into action, especially when clarity around timelines and responsibilities is still evolving.  The concern extends beyond citizens to companies themselves, many of which are still grappling with core concepts such as consent management, data fiduciary obligations, and breach response requirements. With penalties tiered by the nature and severity of violations—ranging from significant fines to amounts running into hundreds of crores, this lack of understanding could prove costly.  In 2026, regulators will no longer be looking for intent, they will be looking for evidence of execution. As Bajpai points out, “That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress.” 

What Companies Should Do Now: A Practical DPDP Act Readiness Checklist 

As India moves closer to full DPDP enforcement, organizations that act early will find compliance far less disruptive. At a minimum, businesses should focus on the following steps: 

• Map personal data flows: Identify what personal data is collected, where it resides, who has access to it, and which third parties process it. 

• Review consent mechanisms: Ensure consent requests are clear, purpose-specific, and easy to withdraw, across websites, apps, and internal systems. 

• Define retention and deletion policies: Establish how long different categories of personal data are retained and document secure disposal processes. 

• Assess third-party risk: Audit vendors, cloud providers, and processors to confirm DPDP-aligned controls and contractual obligations. 

• Strengthen breach response readiness: Put tested incident response and notification workflows in place, not just policies on paper. 

• Train employees across functions: Build awareness beyond IT and legal teams, privacy failures often begin with everyday operational mistakes. 

• Assign ownership and accountability: Clearly define who is responsible for DPDP compliance, reporting, and ongoing monitoring. 

These steps are not about ticking boxes; they are about building muscle memory for a privacy-first operating environment. 

2026 Is the Year Privacy Becomes Real 

The DPDP Act does not promise instant perfection. What it demands is accountability.  By 2026, privacy will move from policy documents to product design, from legal fine print to leadership dashboards, and from reactive fixes to proactive governance. Organizations that delay will not only face regulatory penalties, but they also risk losing customer trust in an increasingly privacy-aware market. 

As Sandeep Shukla cautions, “It will probably take years before a proper implementation at all levels of organizations would be seen.” 

But the direction is clear. Personal data in India can no longer be treated casually.  The DPDP Act marks the end of informal data handling, and the beginning of a more disciplined, transparent, and accountable digital economy. 

The FBI Anchorage Field Office has issued a public warning after seeing a sharp increase in fraud cases targeting residents across Alaska. According to federal authorities, scammers are posing as law enforcement officers and government officials in an effort to extort money or steal sensitive personal information from unsuspecting victims.

The warning comes as reports continue to rise involving unsolicited phone calls where criminals falsely claim to represent agencies such as the FBI or other local, state, and federal law enforcement bodies operating in Alaska. These scams fall under a broader category of law enforcement impersonation scams, which rely heavily on fear, urgency, and deception.

How the Phone Scam Works

Scammers typically contact victims using spoofed phone numbers that appear legitimate. In many cases, callers accuse individuals of failing to report for jury duty or missing a court appearance. Victims are then told that an arrest warrant has been issued in their name.

To avoid immediate arrest or legal consequences, the caller demands payment of a supposed fine. Victims are pressured to act quickly, often being told they must resolve the issue immediately. According to the FBI, these criminals may also provide fake court documents or reference personal details about the victim to make the scam appear more convincing.

In more advanced cases, scammers may use artificial intelligence tools to enhance their impersonation tactics. This includes generating realistic voices or presenting professionally formatted documents that appear to come from official government sources. These methods have contributed to the growing sophistication of government impersonation scams nationwide.

Common Tactics Used by Scammers

Authorities note that these scams most often occur through phone calls and emails. Criminals commonly use aggressive language and insist on speaking only with the targeted individual. Victims are often told not to discuss the call with family members, friends, banks, or law enforcement agencies.

Payment requests are another key red flag. Scammers typically demand money through methods that are difficult to trace or reverse. These include cash deposits at cryptocurrency ATMs, prepaid gift cards, wire transfers, or direct cryptocurrency payments. The FBI has emphasized that legitimate government agencies never request payment through these channels.

FBI Clarifies What Law Enforcement Will Not Do

The FBI has reiterated that it does not call members of the public to demand payment or threaten arrest over the phone. Any call claiming otherwise should be treated as fraudulent. This clarification is a central part of the FBI’s broader FBI scam warning Alaska residents are being urged to take seriously.

Impact of Government Impersonation Scams

Data from the FBI’s Internet Crime Complaint Center (IC3) highlights the scale of the problem. In 2024 alone, IC3 received more than 17,000 complaints related to government impersonation scams across the United States. Reported losses from these incidents exceeded $405 million nationwide.

Alaska has not been immune. Reported victim losses in the state surpassed $1.3 million, underscoring the financial and emotional impact these scams can have on individuals and families.

How Alaskans Can Protect Themselves

To reduce the risk of falling victim, the FBI urges residents to “take a beat” before responding to any unsolicited communication. Individuals should resist pressure tactics and take time to verify claims independently.

The FBI strongly advises against sharing or confirming personally identifiable information with anyone contacted unexpectedly. Alaskans are also cautioned never to send money, gift cards, cryptocurrency, or other assets in response to unsolicited demands.

What to Do If You Are Targeted

Anyone who believes they may have been targeted or victimized should immediately stop communicating with the scammer. Victims should notify their financial institutions, secure their accounts, contact local law enforcement, and file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov. Prompt reporting can help limit losses and prevent others from being targeted.

The Pierce County Library System cyberattack has exposed the personal information of more than 340,000 individuals following a cybersecurity incident discovered in April 2025. The public library system, which operates 19 locations and serves nearly one million residents outside Seattle, confirmed that unauthorized access to its network resulted in sensitive data being copied and taken. According to breach notification letters published this week on the Pierce County Library System (PCLS) website and filed with regulators in multiple states, the incident occurred between April 15 and April 21, 2025. PCLS detected the breach on April 21 and immediately shut down its systems to contain the attack and begin an investigation.

Unauthorized Network Access and Data Exposure

The investigation revealed that attackers gained access to PCLS systems for nearly a week and exfiltrated files containing personal information. By May 12, the organization confirmed that hackers had stolen data belonging to both library patrons and current or former employees. For library patrons, the exposed data included names and dates of birth. For employees and their family members, the compromised information was significantly more sensitive. Impacted data may include Social Security numbers, financial account details, driver’s license numbers, credit card information, passport numbers, health insurance records, medical information, and dates of birth. PCLS stated that it is not currently aware of any misuse of the stolen data. However, the organization acknowledged the seriousness of the breach and emphasized that it takes the confidentiality and privacy of personal information in its care very seriously.

Ransomware Gang Claims Responsibility of Pierce County Library System cyberattack

The Pierce County Library System cyberattack was claimed in May by the INC ransomware gang, a cybercriminal group that has carried out multiple high-profile attacks against government and public-sector organizations in 2025. The group has previously targeted systems such as the Pennsylvania Office of the Attorney General and an emergency warning service used by municipalities across the United States. While PCLS has not publicly confirmed whether a ransom demand was made or paid, public library systems have increasingly become targets for ransomware attacks on public libraries. Cybercriminal groups often assume that governments will pay to quickly restore access to essential public services.

History of Cyber Incidents in Pierce County

This is not the first cybersecurity incident to impact Pierce County. In 2023, a ransomware attack disrupted the county’s public bus service, affecting systems used by approximately 18,000 riders daily. The recurring nature of such incidents highlights ongoing challenges faced by local governments in defending critical public infrastructure. Globally, library systems have experienced a rise in cyberattacks in recent years. High-profile incidents, including the British Library cyberattack, along with multiple attacks across Canada and the United States, have caused prolonged outages and service disruptions.

Steps for Impacted Individuals

PCLS is urging affected individuals to remain vigilant against identity theft and fraud. The organization recommends regularly reviewing bank and credit card statements and monitoring credit reports for suspicious activity. Under U.S. law, consumers are entitled to one free credit report annually from each of the three major credit bureaus, Equifax, Experian, and TransUnion. Individuals may also place fraud alerts or credit freezes on their credit files at no cost to help prevent unauthorized accounts from being opened in their name. PCLS has provided a dedicated call center for questions related to the incident. As cyberattack on the Pierce County Library System continue to expand digital offerings, cybersecurity remains a critical challenge requiring sustained investment and vigilance.

Japan is set to hold its first public-private sector tabletop exercise to prepare for large-scale cyberattacks, particularly targeting critical infrastructure. The drill, scheduled for December 18th, will involve the central government, the Tokyo metropolitan government, and major infrastructure operators across the capital region.  The exercise comes during multiple cyberattacks in Japan, which have increasingly targeted sectors essential to daily life and economic activity. By simulating infrastructure disruptions, officials aim to identify vulnerabilities and establish a coordinated public-private response framework.  The exercise is designed around a scenario in which a sudden, large-scale power outage of unknown origin hits the Tokyo metropolitan area. Participants will simulate cascading disruptions affecting water supply, telecommunications, internet services, traffic networks, and railway operations. The goal is to replicate the chain reactions that could occur if Japan's cyberattacks multiple systems simultaneously.  If power outages are prolonged, healthcare facilities could face urgent challenges, including the care of patients dependent on ventilators or dialysis machines. Similarly, persistent traffic congestion could delay fuel deliveries, including gasoline and diesel, with serious repercussions for everyday life and commercial activity. 

Collaboration Between Public and Private Sectors 

The cybersecurity drill will involve key infrastructure sectors in Tokyo, including electricity, gas, telecommunications, healthcare, and finance. The National Security Secretariat and the Tokyo metropolitan government are leading the exercise, with participation from major private-sector operators. Officials hope the exercise will clarify existing coordination challenges and strengthen preparedness for real-world incidents.  By conducting its first public-private cyber drill, Japan seeks not only to test operational readiness but also to reinforce collaboration between government agencies and private infrastructure operators. The simulation emphasizes the need for real-time communication, rapid decision-making, and coordinated measures to mitigate the impact of cyber incidents. 

Strengthening Japan’s Cyber Resilience 

This marks an important step in Japan’s response to cyberattacks, particularly as the country has faced a series of incidents targeting critical infrastructure in recent years. Experts note that Japan, with its highly interconnected urban infrastructure, is particularly vulnerable to cyberattacks that can trigger cascading failures.   Disruptions in one sector, such as electricity, can quickly affect water distribution, transportation networks, healthcare facilities, and financial services. The Tokyo metropolitan area, as the nation’s economic and political center, is especially critical in this context.  As Japan faces new cyber threats from highly skilled cyber actors, exercises such as this one in Tokyo are expected to become a regular component of national cybersecurity strategy. Officials believe that repeated drills will help identify gaps, improve response protocols, and enhance resilience against future cyberattacks on Japan’s essential infrastructure. 

Shashank Bajpai, CISO & CTSO at Yotta 2026 is the execution year for India’s Digital Personal Data Protection (DPDP) regime , the Rules were notified in November 2025 and the government has signalled a phased enforcement timeline. The law is consent-centric, imposes heavy penalties (up to ₹250 crore for the most serious security failures), creates a new institutional stack (Data Protection Board, Consent Managers), and elevates privacy to boardroom priority. Organizations that treat compliance as a strategic investment, not a cost centre, will gain trust, operational resilience, and competitive advantage. Key themes for 2026: consent at scale, data minimization, hardened security, vendor accountability, and new dependency risks arising from Consent Manager infrastructure.

Why 2026 Matters

The DPDP Act (2023) becomes operational through Rules notified in November 2025; the result is a staggered compliance timetable that places 2026 squarely in the execution phase. That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress. The practical effect is immediate: companies must move from policy documents to implemented consent systems, security controls, breach workflows, and vendor governance.

The High-Impact Obligations

• Explicit consent architecture: Consent must be free, specific, informed and obtained by clear affirmative action. Systems must record, revoke and propagate consent signals reliably.
• Data minimization & purpose limitation: Collect only what’s necessary and purge data when the purpose is fulfilled.
• Reasonable security safeguards: Highest penalty bracket (up to ₹250 crore) for failures to implement required security measures. Encryption, tokenization, RBAC, monitoring and secure third-party contracts are expected.
• Breach notification: Obligatory notification to the Data Protection Board and affected principals, with tight timelines (public guidance references 72-hour reporting windows for board notification).
• Data subject rights: Access, correction, erasure, withdrawal of consent and grievance mechanisms must be operational and auditable.
• Children’s data: Verifiable parental consent and prohibitions on behavioural profiling/targeted advertising toward minors; failures risk very high penalties.
• Consent Managers: New regulated intermediaries where individuals may centrally manage consent; only India-incorporated entities meeting financial/operational thresholds (minimum net worth indicated in Rules) can register. This constructs a new privacy infrastructure and a new dependency vector for data fiduciaries.

Implementation Challenges & Strategic Opportunities

1. Key Implementation Challenges

Challenge Area	What Will Break / Strain in 2026	Why It Matters to Leadership	Strategic Imperative
Regulatory Ambiguity & Evolving Interpretation	Unclear operational expectations around “informed consent,” Significant Data Fiduciary designation, and cross-border data transfers	Risk of over-engineering or non-compliance as regulatory guidance evolves	Build modular, configurable privacy architectures that can adapt without re-platforming
Legacy Systems & Distributed Data	Difficulty retrofitting consent enforcement, encryption, audit trails, and real-time controls into legacy and batch-oriented systems	High cost, operational disruption, and extended timelines for compliance	Prioritize modernization of high-risk systems and align vendor roadmaps with DPDP requirements
Organizational Governance & Talent Gaps	Privacy cuts across legal, product, engineering, HR, procurement—often without clear ownership; shortage of experienced DPOs	Fragmented accountability increases regulatory and breach risk	Establish cross-functional privacy governance; leverage fractional DPOs and external advisors while building internal capability
Children’s Data & Onboarding Friction	Age verification and parental consent slow user onboarding and impact conversion metrics	Direct revenue and growth impact if UX is not carefully redesigned	Re-engineer onboarding flows to balance compliance with user experience, especially in consumer platforms
Consent Manager Dependency & Systemic Risk	Outages or breaches at registered Consent Managers can affect multiple data fiduciaries simultaneously	Creates concentration and third-party systemic risk	Design fallback mechanisms, redundancy plans, and enforce strong SLAs and audit rights

 2. Strategic Opportunities: Turning Compliance into Advantage

Opportunity Area	Business Value	Strategic Outcome
Trust as a Market Differentiator	Privacy becomes a competitive trust signal, particularly in fintech, healthtech, and BFSI ecosystems.	Strong DPDP compliance enhances brand equity, customer loyalty, partner confidence, and investor perception.
Operational Efficiency & Risk Reduction	Data minimization, encryption, and segmentation reduce storage costs and limit breach blast radius.	Privacy investments double as technical debt reduction with measurable ROI and lower incident recovery costs.
Global Market Access	Alignment with global privacy principles simplifies cross-border expansion and compliance-sensitive partnerships.	Faster deal closures, reduced due diligence friction, and improved access to regulated international markets.
Domestic Privacy & RegTech Ecosystem Growth	Demand for Consent Managers, RegTech, and privacy engineering solutions creates a new domestic market.	Strategic opportunity for Indian vendors to lead in privacy infrastructure and export DPDP-aligned solutions globally.

DPDP Readiness Roadmap for 2026

Time Horizon	Key Actions	Primary Owners	Strategic Outcome
Immediate (0–3 Months)	• Establish Board-level Privacy Steering Committee •Appoint or contract a Data Protection Officer (DPO) • Conduct rapid enterprise data mapping (repositories, processors, high-risk data flows) • Triage high-risk systems for encryption, access controls, and logging • Update breach response runbooks to meet Board and individual notification timelines	Board, CEO, CISO, Legal, Compliance	Executive accountability for privacy; clear visibility of data risk exposure; regulatory-ready breach response posture
Short Term (3–9 Months)	• Deploy consent management platform interoperable with upcoming Consent Managers • Standardize DPDP-compliant vendor contracts and initiate bulk vendor renegotiation/audits • Automate data principal request handling (identity verification, APIs, evidence trails)	CISO, CTO, Legal, Procurement, Product	Operational DPDP compliance at scale; reduced manual handling risk; strengthened third-party governance
Medium Term (9–18 Months)	• Implement data minimization and archival policies focused on high-sensitivity datasets • Embed Privacy Impact Assessments (PIAs) into product development (“privacy by design”) • Stress-test reliance on Consent Managers and negotiate resilience SLAs and contingency plans	Product, Engineering, CISO, Risk, Procurement	Sustainable compliance architecture; reduced long-term data liability; privacy-integrated product innovation
Ongoing (Board Dashboard Metrics)	• Consent fulfillment latency & revocation success rate • Mean time to detect and notify data breaches (aligned to regulatory windows) • % of sensitive data encrypted at rest and in transit • Vendor compliance score and DPA coverage	Board, CISO, Risk & Compliance	Continuous assurance, measurable compliance maturity, and defensible regulatory posture

Board-Level Takeaway

DPDP compliance in 2026 is not a one-time legal exercise, it is an operating model change. Organizations that treat privacy as a board-governed, product-integrated, and metrics-driven discipline will outperform peers on regulatory trust, customer confidence, and incident resilience.

The Macro View: Data Sovereignty & Trust Infrastructure

The Rules reinforce India’s intention to control flows of citizen data while creating domestic privacy infrastructure (DPB + Consent Managers + data auditors). This is not just regulation; it is an economic strategy to build domestic capability in cloud, identity, security and RegTech, and to position India as a credible participant in global data governance conversations.

Act Strategically, Not Reactively

DPDP is a structural shift: it will change products, engineering practices, contracts, and customer expectations. 2026 will reveal winners and laggards. Those that embrace privacy as a governance discipline and a product differentiator will realize measurable advantages in trust, operational resilience, and market value. The alternative, waiting until enforcement escalates, risks fines, reputational harm and erosion of customer trust. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)

Asahi Group Holdings Ltd. is weighing the creation of a dedicated cybersecurity unit as it continues to deal with the prolonged impact of a ransomware incident that struck the company in late September. The Asahi cyberattack disrupted core operations, delayed financial reporting, and exposed vulnerabilities in both the company’s internal systems and Japan’s broader corporate cyber defenses.  The cyberattack on Asahi occurred on September 29, when a system disruption was detected at approximately 7:00 a.m. Japan Standard Time. Subsequent investigations confirmed that files within the company’s network had been encrypted by ransomware. By around 11:00 a.m. the same day, Asahi disconnected its network and isolated its data center in an effort to contain the damage.  According to Asahi Group Holdings, the attacker gained unauthorized access through network equipment located at a Group facility. Ransomware was deployed simultaneously across multiple active servers, and some employee PC devices connected to the network. While the impact has been limited to systems managed in Japan, the disruption has been extensive. 

Shift Toward Zero-Trust Security Model 

Chief Executive Officer Atsushi Katsuki said the incident has prompted a fundamental reassessment of how information security is handled at the management level. As part of its recovery, Asahi Group Holdings has scrapped the use of virtual private networks and is adopting a stricter “zero-trust” model, which assumes no user or device inside the network can be automatically trusted.  “Information security is a management issue that should be given the highest priority,” Katsuki said. “We thought we had taken sufficient measures, which were easily broken. It made me realize there’s no limit to the precautions that can be taken.”  The Asahi cyberattack froze key business systems in Japan, forcing the company to shift order processing and shipments offline. The disruption hit at a critical time, delaying deliveries of year-end gift sets, a seasonal mainstay for the Japanese beverage market. As a result, November sales of beer and other alcoholic beverages fell by more than 20% compared with the same period a year earlier. 

Operational and Financial Fallout Continues 

Operational disruptions have gradually eased, but the effects on financial reporting remain significant. Asahi Group Holdings now expects its annual earnings disclosure to be delayed by more than 50 days. While partial third-quarter figures were released in November, Katsuki declined to set a new date for the full earnings announcement.  Before the cyberattack on Asahi, the company had forecast that operating profit for the year ending in December would decline 5.2% to ¥255 billion ($1.6 billion), on sales of ¥2.95 trillion. Once reporting resumes, Asahi plans to outline its growth strategy, with a particular focus on non-alcoholic and low-alcohol beverages, along with its investment plans.  Despite the setback, Katsuki said the breach does not threaten Asahi’s long-term foundation and expressed confidence that lost market share can be recovered. He expects most systems to be restored by February, with shelf space recovery and full competitive positioning returning from March. 

Data Exposure, Recovery Efforts, and Broader Implications 

In parallel with restoring operations, Asahi Group Holdings has been conducting a detailed forensic investigation in collaboration with external cybersecurity experts. In a statement released on November 27, 2025, the company disclosed that some data from company-issued PCs had been exposed and that personal information stored on servers may also have been affected. As of that date, there was no confirmation that server-based personal data had been published on the internet.  The investigation identified the following categories of personal information that have been or may have been exposed: data belonging to approximately 1.525 million individuals who contacted customer service centers of Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods; information related to 114,000 external contacts who received congratulatory or condolence telegrams; personal details of 107,000 employees and retirees; and information concerning 168,000 family members of employees and retirees. Asahi confirmed that no credit card information was included.  On November 26, Asahi submitted a final report to Japan’s Personal Information Protection Commission and stated that affected individuals will be notified in due course. A dedicated inquiry hotline was established to respond to questions related to personal data exposure.  System restoration efforts have taken roughly two months and have included containment of ransomware, integrity checks, and enhanced security measures. Asahi said systems and devices confirmed to be secure will be restored in phases, with ongoing monitoring to prevent recurrence. Preventive measures include redesigned network controls, stricter connection restrictions, enhanced threat detection, updated backup strategies, revised business continuity plans, and expanded employee training and external audits. 

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

A cyberattack on Russia has reportedly targeted Russia’s digital military draft system. According to Grigory Sverdlin, head of the draft-dodging nonprofit Idite Lesom, anonymous hackers successfully breached a key developer of the system on Thursday. “For the next few months, the system, which holds 30 million records, will not be able to send people off to kill or die,” Sverdlin wrote on Facebook.   He added that his organization had received a large set of documents from the hackers, including source code, technical documentation, and internal communications from Russia’s software provider Micord, a central developer of the digital military draft system. 

Cyberattack on Russia’s Digital Military Draft System 

Micord’s website was reportedly inaccessible on Thursday, displaying a notice that it was under “technical maintenance.” Meanwhile, the investigative outlet IStories, which obtained the documents from Idite Lesom, confirmed the breach with Micord’s director, Ramil Gabdrahmanov.  “Listen, it could happen to anyone. Many are being attacked right now,” Gabdrahmanov said. He declined to confirm whether Micord had worked on Russia’s unified military registration database, stating, “We work on many different projects.” Nonetheless, IStories independently verified Micord’s involvement in the digital registry.  Despite the cyberattack on Russia’s digital military draft system, some users reported that the database website was still accessible, though it remained unclear whether electronic draft summonses had been disrupted. The Russian Defense Ministry dismissed the claims of a breach as “fake news,” asserting that the registry continued to operate normally.   “The registry has been repeatedly subjected to hacking attacks. They have all been successfully repelled,” the ministry said, emphasizing that attempts to disrupt the system had so far “failed to achieve their objectives", reported IStories.

Digital Military Draft System: Modernizing Russia’s Draft Process 

The digital military draft system, part of a broader modernization of Russia’s wartime enlistment process, centralizes records of men aged 18 to 30 and allows authorities to issue summonses online, eliminating the need for in-person notifications.  The system has faced multiple delays, with its initial launch scheduled for November 2024. Russia’s fall 2025 draft, which runs from October 1 to December 31, was expected to rely on this digital registry in four regions, including Moscow.  Sverdlin noted that once fully operational, the online system automatically enforces restrictions on draftees who fail to report for compulsory service, including travel bans.  

Origins and Government Plans for the Unified Registry 

The hacker group reportedly remained in Micord’s system for several months, accessing critical infrastructure, operational correspondence, and the source code, which they claimed to have destroyed. The documents were shared with journalists at IStories, who confirmed their authenticity.  The Russian government first announced plans for a unified digital military registration registry in April 2023, when the State Duma passed a bill creating the system. RT Labs, a Rostelecom subsidiary, was initially named as one of the developers.   In February 2024, Rostelecom was designated as the sole contractor to complete the system for the Ministry of Digital Development, Communications, and Mass Media, with a completion deadline of December 31, 2024. Though initially intended for the 2024 fall draft, the registry became fully operational only in October 2025, with several regions adopting electronic summonses and phasing out paper notifications. 

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million people in the UK. The data breach occurred in August 2022 and was the result of two isolated incidents that, when combined, enabled a hacker to gain unauthorized access to LastPass’ backup database. The stolen information included customer names, email addresses, phone numbers, and stored website URLs. While the data breach exposed sensitive personal information, the ICO confirmed there is no evidence that hackers were able to decrypt customer passwords. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, which ensures that master passwords and vaults are stored locally on customer devices and never shared with the company.

Incident One: Corporate Laptop Compromised

The first incident involved a LastPass employee’s corporate laptop based in Europe. A hacker gained access to the company’s development environment and obtained encrypted company credentials. Although no personal information was taken at this stage, the credentials could have provided access to the backup database if decrypted. LastPass attempted to mitigate the hacker’s activity and believed the encryption keys remained safe, as they were stored outside the compromised environment in the vaults of four senior employees.

Incident Two: Personal Device Targeted

The second incident proved more damaging. The hacker targeted one of the senior employees who had access to the decryption keys. Exploiting a known vulnerability in a third‑party streaming service, the attacker gained access to the employee’s personal device. A keylogger was installed, capturing the employee’s master password. Multi‑factor authentication was bypassed using a trusted device cookie. This allowed the hacker to access both the employee’s personal and business LastPass vaults, which were linked by a single master password. From there, the hacker obtained the Amazon Web Service (AWS) access key and decryption key stored in the business vault. Combined with information taken the previous day, this enabled the extraction of the backup database containing customer personal information.

ICO’s Findings and Fine on LastPass UK

The ICO investigation concluded that LastPass failed to implement sufficiently strong technical and security measures, leaving customers exposed. Although the company’s zero knowledge encryption protected passwords, the exposure of personal data was deemed a serious failure. John Edwards, UK Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect their personal information would be kept safe and secure. The company fell short of this expectation, resulting in the proportionate fine announced today.”

Lessons for Businesses

The ICO has urged all UK businesses to review their systems and procedures to prevent similar risks. This case underscores the importance of restricting system access, strengthening cybersecurity measures, and ensuring that employees’ personal devices do not become weak points in corporate networks. While password managers remain a recommended tool for managing login details, the incident shows that even trusted providers can fall short if internal safeguards are not sufficiently strong. The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold the highest standards of security. Although customer passwords were protected by the company’s zero knowledge encryption system, the exposure of personal information has left millions vulnerable. The ICO’s ruling reinforces the need for constant vigilance in the face of growing cyber threats. For both businesses and individuals, the message is straightforward: adopt strong security practices, conduct regular system reviews, and implement robust employee safeguards to reduce the risk of future data breaches.

Microsoft Corp. has announced a major update to its bug bounty program, extending coverage to include any vulnerability affecting its online services. This new framework, referred to as “In Scope By Default,” is an important shift in how the tech giant approaches coordinated vulnerability disclosure.  Under this updated model, every Microsoft online service is automatically eligible for bounty awards from the moment it launches. Previously, the company relied on product-specific scope definitions, which often caused confusion for security researchers and limited the range of vulnerabilities eligible for rewards. By making all services In Scope By Default, Microsoft aims to make participation in the bug bounty program more predictable while ensuring critical vulnerabilities are addressed and incentivized regardless of their origin.  A key feature of the expanded scope is its coverage of third-party and open-source components integrated into Microsoft services. This means that vulnerabilities in external libraries, dependencies, or open-source packages that power Microsoft’s cloud infrastructure are now eligible for bug bounty rewards, not just flaws in Microsoft’s own software. 

A Strategic Shift in Bug Bounty Security Incentives 

Tom Gallagher, vice president of engineering at the Microsoft Security Response Center (MSRC), highlighted the significance of the change in a December 11, 2025, blog post. He described it as more than an administrative adjustment, calling it a structural realignment designed to reflect real-world risk. Gallagher explained that by defaulting all services into scope, Microsoft hopes to reduce reporting delays, minimize confusion, and allow researchers to focus on vulnerabilities with meaningful impact on customers.  “If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher stated. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”  The new policy also allows Microsoft to collaborate more effectively with researchers on upstream or third-party vulnerabilities. The company can now assist with developing fixes or support maintainers when issues in external codebases directly affect Microsoft services. 

Industry Reaction and Expected Impact 

All new Microsoft online services now fall under bug bounty coverage from day one, while millions of existing endpoints no longer require manual approval to qualify. The update is designed to make it easier for security professionals to identify and report vulnerabilities across Microsoft’s expansive ecosystem.  The new approach aligns with Microsoft’s broader security philosophy in an AI- and cloud-first environment, where attackers exploit any weak link, regardless of ownership. According to Gallagher, “Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.”  Last year, Microsoft’s bug bounty program and its Zero Day Quest live-hacking event awarded over $17 million to researchers for high-impact discoveries. With the In Scope By Default initiative, the company expects to expand eligibility even further, particularly in areas involving Microsoft-owned domains, cloud services, and third-party or open-source code.  Researchers participating in the program are expected to follow Microsoft’s Rules of Engagement for Responsible Security Research, ensuring customer privacy and data protection while enabling coordinated vulnerability disclosure. By widening its bug bounty scope, Microsoft aims to raise the overall security bar. 

The City of Cambridge has released an important update regarding the OnSolve CodeRED emergency notifications system, also known locally as Cambridge’s reverse 911 system. The platform, widely used by thousands of local governments and public safety agencies across the country, was taken offline in November following a nationwide OnSolve CodeRED cyberattack. Residents who rely on CodeRED alerts for information about snow emergencies, evacuations, water outages, or other service disruptions are being asked to take immediate steps to secure their accounts and continue receiving notifications.

Impact of the OnSolve CodeRED Cyberattack on User Data

According to city officials, the data breach affected CodeRED databases nationwide, including Cambridge. The compromised information may include phone numbers, email addresses, and passwords of registered users. Importantly, the attack targeted the OnSolve CodeRED system itself, not the City of Cambridge or its departments. This OnSolve CodeRED cyberattack incident mirrors similar concerns raised in Monroe County, Georgia, where officials confirmed that residents’ personal information was also exposed. The Monroe County Emergency Management Agency emphasized that the breach was part of a nationwide cybersecurity incident and not a local failure.

Transition to CodeRED by Crisis24

In response, OnSolve permanently decommissioned the old CodeRED platform and migrated services to a new, secure environment known as CodeRED by Crisis24. The new system has undergone comprehensive security audits, including penetration testing and system hardening, to ensure stronger protection against future threats. For Cambridge residents, previously registered contact information has been imported into the new platform. However, due to security concerns, all passwords have been removed. Users must now reset their credentials before accessing their accounts.

Steps for City of Cambridge Residents and Users

To continue receiving emergency notifications, residents should:

• Visit accountportal.onsolve.net/cambridgema
• Enter their username (usually an email address)
• Select “forgot password” to verify and reset credentials
• If unsure of their username, use the “forgot username” option

Officials strongly advise against reusing old CodeRED passwords, as they may have been compromised. Instead, users should create strong, unique passwords and update their information once logged in. Additionally, anyone who used the same password across multiple accounts is urged to change those credentials immediately to reduce the risk of further exposure.

Broader National Context

The Monroe County cyberattack highlights the scale of the issue. Officials there reported that data such as names, addresses, phone numbers, and passwords were compromised. Residents who enrolled before March 31, 2025, had their information migrated to the new Crisis24 CodeRED platform, while those who signed up afterward must re‑enroll. OnSolve has reassured communities that the intrusion was contained within the original system and did not spread to other networks. While there is currently no evidence of identity theft, the incident underscores the growing risks of cyber intrusions nationwide.

Resources for Cybersecurity Protection

Residents who believe they may have been victims of cyber‑enabled fraud are encouraged to report incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Additional resources are available to help protect individuals and families from fraud and cybercrime. Security experts note that the rising frequency of attacks highlights the importance of independent threat‑intelligence providers. Companies such as Cyble track vulnerabilities and cybercriminal activity across global networks, offering organizations tools to strengthen defenses and respond more quickly to incidents.

Looking Ahead

The City of Cambridge has thanked residents for their patience as staff worked with OnSolve to restore emergency alert capabilities. Officials emphasized that any breach of security is a serious concern and confirmed that they will continue monitoring the new CodeRED by Crisis24 platform to ensure its standards are upheld. In addition, the City is evaluating other emergency alerting systems to determine the most effective long‑term solution for community safety.

A study of honeypot and cyber deception technologies by the UK’s National Cyber Security Centre (NCSC) found that the deception tools hold promise for disrupting cyberattacks, but more information and standards are needed for them to work optimally. The agency plans to help with that. The NCSC test involved 121 organizations, 14 commercial providers of honeypots and deception tools, and 10 trials across environments ranging from the cloud to operational technology (OT). The NCSC concluded that “cyber deception can work, but it’s not plug-and-play.”

Honeypot and Cyber Deception Challenges

The NCSC said surveyed organizations believe that cyber deception technologies can offer “real value, particularly in detecting novel threats and enriching threat intelligence,” and a few even see potential for identifying insider threats. “However, outcome-based metrics were not readily available and require development,” the NCSC cautioned. The UK cybersecurity agency said the effectiveness of honeypots and cyber deception tools “depends on having the right data and context. We found that cyber deception can be used for visibility in many systems, including legacy or niche systems, but without a clear strategy organisations risk deploying tools that generate noise rather than insight.” The NCSC blog post didn’t specify what data was missing or needed to be developed to better measure the effectiveness of deception technologies, but the agency nonetheless concluded that “there’s a compelling case for increasing the use of cyber deception in the UK.” The study examined three core assumptions:

• Cyber deception technologies can help detect compromises already inside networks.
• Cyber deception and honeypots can help detect new attacks as they happen.
• Cyber deception can change how attackers behave if they know an organization is using the tools.

Terminology, Guidance Needed for Honeypots and Deception Tools

The tests, conducted under the Active Cyber Defence (ACD) 2.0 program, also found that inconsistent terminology and guidance hamper optimal use of the technologies. “There’s a surprising amount of confusion around terminology, and vocabulary across the industry is often inconsistent,” NCSC said. “This makes it harder for organisations to understand what’s on offer or even what they’re trying to achieve. We think adopting standard terminology should help and we will be standardising our cyber deception vocabulary.” Another challenge is that organizations don’t know where to start. “They want impartial advice, real-world case studies, and reassurance that the tools they’re using are effective and safe,” the agency said. “We’ve found a strong marketplace of cyber deception providers offering a wide range of products and services. However, we were told that navigating this market can be difficult, especially for beginners.” The NCSC said it thinks it can help organizations “make informed, strategic choices.”

Should Organizations Say if They’re Using Deception Tools?

One interesting finding is that 90% of the trial participants said they wouldn’t publicly announce that they use cyber deception. While it’s understandable not to want to tip off attackers, the NCSC said that academic research shows that “when attackers believe cyber deception is in use they are less confident in their attacks. This can impose a cost on attackers by disrupting their methods and wasting their time, to the benefit of the defenders.” Proper configuration is also a challenge for adopters. “As with any cyber security solution, misconfiguration can introduce new vulnerabilities,” the NCSC said. “If cyber deception tools aren’t properly configured, they may fail to detect threats or lead to a false sense of security, or worse, create openings for attackers. As networks evolve and new tools are introduced, keeping cyber deception tools aligned requires ongoing effort. It is important to consider regular updates and fine-tuning cyber deception solutions.” Next steps for the NCSC involve helping organizations better understand and deploy honeypots and deception tools, possibly through a new ACD service. “By helping organisations to understand cyber deception and finding clear ways to measure impact, we are building a strong foundation to support the deployment of cyber deception at a national scale in the UK,” the agency said. “We are looking at developing a new ACD service to achieve this. “One of the most promising aspects of cyber deception is its potential to impose cost on adversaries,” the NCSC added. “By forcing attackers to spend time and resources navigating false environments, chasing fake credentials, or second-guessing their access, cyber deception can slow down attacks and increase the likelihood of detection. This aligns with broader national resilience goals by making the UK a harder, more expensive target.”

OpenAI has issued a cautionary statement that its forthcoming AI models could present “high” cybersecurity risks as their capabilities rapidly advance. The warning, published on Wednesday, noted the potential for these AI models to either develop zero-day exploits against well-defended systems or assist in enterprise or industrial intrusion operations with tangible real-world consequences.  The company, known for ChatGPT, explained that as AI capabilities grow, its models could reach levels where misuse might have an impact. OpenAI highlighted the dual-use nature of these technologies, noting that techniques used to strengthen defenses can also be repurposed for malicious operations. “As AI capabilities advance, we are investing in strengthening models for defensive cybersecurity tasks and creating tools that enable defenders to more easily perform workflows such as auditing code and patching vulnerabilities,” the blog post stated.  To mitigate these risks, OpenAI is implementing a multi-layered strategy involving access controls, infrastructure hardening, egress controls, monitoring, and ongoing threat intelligence efforts. These protection methods are designed to go alongside the threat landscape, ensuring a quick response to new risks while preserving the utility of AI models for defensive purposes. 

Assessing Cybersecurity Risks in AI Models 

OpenAI noted that the cybersecurity proficiency of its AI models has improved over recent months. Capabilities measured through capture-the-flag (CTF) challenges increased from 27% on GPT‑5 in August 2025 to 76% on GPT‑5.1-Codex-Max by November 2025. The company expects this trajectory to continue and is preparing scenarios in which future models could reach “High” cybersecurity levels, as defined by its internal Preparedness Framework.  These high-level models could, for instance, autonomously develop working zero-day exploits or assist in stealthy cyber intrusions. OpenAI emphasized that its approach to safeguards combines technical measures with careful governance of model access and application. The company aims to ensure that these AI capabilities strengthen security rather than lower barriers to misuse. 

Frontier Risk Council and Advisory Initiatives 

In addition to technical measures, OpenAI is establishing the Frontier Risk Council, an advisory group that will bring experienced cyber defenders and security practitioners into direct collaboration with its teams. Initially focusing on cybersecurity, the council will eventually expand to other frontier AI capability domains. Members will advise balancing useful, responsible capabilities with the potential for misuse, informing model evaluations. OpenAI is also exploring a trusted access program for qualifying users and customers working in cyber defense. This initiative aims to provide tiered access to enhanced AI capabilities while maintaining control over potential misuse.  Beyond these initiatives, OpenAI collaborates with global experts, red-teaming organizations, and the broader cybersecurity community to evaluate potential risks and improve safety measures. This includes end-to-end red teaming to simulate adversary attacks and detection systems designed to intercept unsafe activity, with escalation protocols combining automated and human review. 

Dual-Use Risks and Mitigation 

OpenAI stressed that cybersecurity capabilities in AI models are inherently dual-use, with offensive and defensive knowledge often overlapping. To manage this, the company employs a defense-in-depth strategy, layering protection methods such as access controls, monitoring, detection, and enforcement programs. Models are trained to refuse harmful requests while remaining effective for legitimate educational and defensive applications.  OpenAI also works through the Frontier Model Forum, a nonprofit initiative involving leading AI labs, to develop shared threat models and ecosystem-wide best practices. This collaborative approach aims to create a consistent understanding of potential attack vectors and mitigation strategies across the AI industry. 

Historical Context and Risk Management 

This recent warning aligns with OpenAI’s prior alerts regarding frontier risks. In April 2025, the company issued a similar caution concerning bioweapons risks, followed by the release of ChatGPT Agent in July 2025, which was assessed as “high” on risk levels. These measures reflect OpenAI’s ongoing commitment to evaluate and publicly disclose potential hazards from advanced AI capabilities.  The company’s updated Preparedness Framework categorizes AI capabilities according to risk and guides operational safeguards. It distinguishes between “High” capabilities, which could amplify existing pathways to severe harm, and “Critical” capabilities, which could create unprecedented risks. Each new AI model undergoes rigorous evaluation to ensure that it sufficiently minimizes risks before deployment. 

Government contractor fraud is at the heart of a new indictment returned by a federal grand jury in Washington, D.C. against a former senior manager in Virginia. Prosecutors say Danielle Hillmer, 53, of Chantilly, misled federal agencies for more than a year about the security of a cloud platform used by the U.S. Army and other government customers. The indictment, announced yesterday, charges Hillmer with major government contractor fraud, wire fraud, and obstruction of federal audits. According to prosecutors, she concealed serious weaknesses in the system while presenting it as fully compliant with strict federal cybersecurity standards.

Government Contractor Fraud: Alleged Scheme to Mislead Agencies

According to court documents, Hillmer’s actions spanned from March 2020 through November 2021. During this period, she allegedly obstructed auditors and misrepresented the platform’s compliance with the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Risk Management Framework. The indictment claims that while the platform was marketed as a secure environment for federal agencies, it lacked critical safeguards such as access controls, logging, and monitoring. Despite repeated warnings, Hillmer allegedly insisted the system met the FedRAMP High baseline and DoD Impact Levels 4 and 5, both of which are required for handling sensitive government data.

Obstruction of Audits

Federal prosecutors allege Hillmer went further by attempting to obstruct third-party assessors during audits in 2020 and 2021. She is accused of concealing deficiencies and instructing others to hide the true state of the system during testing and demonstrations. The indictment also states that Hillmer misled the U.S. Army to secure sponsorship for a Department of Defense provisional authorization. She allegedly submitted, and directed others to submit, authorization materials containing false information to assessors, authorizing officials, and government customers. These misrepresentations, prosecutors say, allowed the contractor to obtain and maintain government contracts under false pretenses.

Charges and Potential Penalties

Hillmer faces two counts of wire fraud, one count of major government fraud, and two counts of obstruction of a federal audit. If convicted, she could face:

• Up to 20 years in prison for each wire fraud count
• Up to 10 years in prison for major government fraud
• Up to 5 years in prison for each obstruction count

A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. The indictment was announced by Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division and Deputy Inspector General Robert C. Erickson of the U.S. General Services Administration Office of Inspector General (GSA-OIG). The case is being investigated by the GSA-OIG, the Defense Criminal Investigative Service, the Naval Criminal Investigative Service, and the Department of the Army Criminal Investigation Division. Trial Attorneys Lauren Archer and Paul Hayden of the Criminal Division’s Fraud Section are prosecuting the case.

Broader Implications of Government Contractor Fraud

The indictment highlights ongoing concerns about the integrity of cloud platforms used by federal agencies. Programs like FedRAMP and the DoD’s Risk Management Framework are designed to ensure that systems handling sensitive government data meet rigorous security standards. Allegations that a contractor misrepresented compliance raise questions about oversight and the risks posed to national security when platforms fall short of requirements. Federal officials emphasized that the government contractor fraud case highlights the importance of transparency and accountability in government contracting, particularly in areas involving cybersecurity. Note: It is important to note that an indictment is merely an allegation. Hillmer, like all defendants, is presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Google has addressed a Gemini zero-click security flaw that allows silent data extraction from corporate environments using the company’s AI assistant tools. The issue, identified as a vulnerability in Gemini Enterprise, was uncovered in June 2025 by researchers at Noma Security, who immediately reported it to Google.  The researchers named the flaw GeminiJack, describing it as an architectural weakness affecting both Google’s Gemini Enterprise, its suite of corporate AI assistant tools, and Vertex AI Search, which supports AI-driven search and recommendation functions on Google Cloud.  According to security researchers, the issue allowed a form of indirect prompt injection. Attackers could embed malicious instructions inside everyday documents stored or shared through Gmail, Google Calendar, Google Docs, or any other Workspace application that Gemini Enterprise had permission to access. When the system interacted with the poisoned content, it could be manipulated to exfiltrate sensitive information without the target's knowledge.  The defining trait of the attack was that it required no interaction from the victim. Researchers noted that exploiting Gemini zero-click behavior meant employees did not need to open links, click prompts, or override warnings. The attack also bypassed standard enterprise security controls. 

How the GeminiJack Attack Chain Worked 

Noma Security detailed several stages in the GeminiJack attack sequence, showing how minimal attacker effort could trigger high-impact consequences: 

1. Content Poisoning: An attacker creates a harmless-looking Google Doc, Calendar entry, or Gmail message. Hidden inside was a directive instructing Gemini Enterprise to locate sensitive terms within authorized Workspace data and embed those results into an image URL controlled by the attacker. 
2. Trigger: A regular employee performing a routine search could inadvertently cause the AI to fetch and process the tampered content. 
3. AI Execution: Once retrieved, Gemini misinterpreted the hidden instructions as legitimate. The system then scanned corporate Workspace data, based on its existing access permissions, for the specified sensitive information. 
4. Exfiltration: During its response, the AI inserted a malicious image tag. When the browser rendered that tag, it automatically transmitted the extracted data to the attacker's server using an ordinary HTTP request. This occurred without detection, sidestepping conventional defenses. 

Researchers explained that the flaw existed because Gemini Enterprise’s search function relies on Retrieval-Augmented Generation (RAG). RAG enables organizations to query multiple Workspace sources through pre-configured access settings.  “Organizations must pre-configure which data sources the RAG system can access,” the researchers noted. “Once configured, the system has persistent access to these data sources for all user queries.” They added that the vulnerability exploited “the trust boundary between user-controlled content in data sources and the AI model’s instruction processing.”  A step-by-step proof-of-concept for GeminiJack was published on December 8. 

Google’s Response and Industry Implications 

Google confirmed receiving the report in August 2025 and collaborated with the researchers to resolve the issue. The company issued updates modifying how Gemini Enterprise and Vertex AI Search interact with retrieval and indexing systems. Following the fix, Vertex AI Search was fully separated from Gemini Enterprise and no longer shares the same LLM-based workflows or RAG functionality.  Despite the patch, security researchers warned that similar indirect prompt-injection attacks could emerge as more organizations adopt AI systems with expansive access privileges. Traditional perimeter defenses, endpoint security products, and DLP tools, they noted, were “not designed to detect when your AI assistant becomes an exfiltration engine.”  “As AI agents gain broader access to corporate data and autonomy to act on instructions, the blast radius of a single vulnerability expands exponentially,” the researchers concluded. They advised organizations to reassess trust boundaries, strengthen monitoring, and stay up to date on AI security work. 

2025 will be remembered as the year cyber threats reached a breaking point. With nearly 6,000 ransomware incidents, more than 6,000 data breaches, and over 3,000 sales of compromised corporate access, enterprises across the globe faced one of the most dangerous digital landscapes on record. Manufacturing plants halted production, government agencies struggled to contain leaks, and critical infrastructure endured direct hits. Cyble Global Cybersecurity Report 2025 highlights that ransomware attacks surged 50% year-over-year. Not only this, the Global Cybersecurity Report 2025 stated that data breaches climbed to their second-highest level ever, and the underground market for stolen access flourished. Together, these figures reveal not just isolated events, but a systemic escalation of cybercrime that is reshaping the way organizations must defend themselves.

Cyble Global Cybersecurity Report 2025: A Year of Escalation

The Cyble Global Cybersecurity Report 2025 documented 5,967 ransomware attacks, representing a 50% increase year-over-year. Alongside this, 6,046 data breaches and leaks were recorded, the second-highest level ever observed. The underground market for compromised initial access also thrived, with 3,013 sales fueling the global cybercrime economy. Daksh Nakra, Senior Manager of Research and Intelligence at Cyble, described 2025 as a “Major power shift in the threat landscape,” noting that new ransomware groups quickly filled the void left by law enforcement crackdowns. The combination of supply chain attacks and rapid weaponization of zero-day vulnerabilities created what he called “a perfect storm” for enterprises worldwide.

Ransomware Landscape Transformed

Two groups stood out in 2025. Akira ransomware emerged as the second-most prolific group behind Qilin, launching sustained campaigns across Construction, Manufacturing, and Professional Services. Its opportunistic targeting model allowed it to compromise nearly every major industry vertical. Meanwhile, CL0P ransomware reaffirmed its reputation as a zero-day specialist. In February 2025, CL0P executed a mass campaign exploiting enterprise file transfer software, posting hundreds of victims in a single wave. Consumer Goods, Transportation & Logistics, and IT sectors were among the hardest hit.

Key Ransomware Statistics

• 5,967 total ransomware attacks in 2025 (50% increase year-over-year)
• The manufacturing sector most targeted, suffering the highest operational disruption
• Construction, Professional Services, Healthcare, and IT are among the top five targets
• The United States experienced the majority of attacks; Australia entered the top-five list for the first time
• 31 incidents directly impacted critical infrastructure

Data Breaches Near Record Levels

Government and law enforcement agencies were disproportionately affected, accounting for 998 incidents (16.5% of total breaches). The Banking, Financial Services, and Insurance (BFSI) sector followed with 634 incidents. Together, these two sectors represented more than a quarter of all breaches, highlighting attackers’ focus on sensitive citizen data and financial information. The sale of compromised corporate access continued to fuel cybercrime. Cyble’s analysis revealed 3,013 access sales, with the Retail sector most heavily targeted at 594 incidents (nearly 20%). BFSI followed with 284 incidents, while Government agencies accounted for 175 incidents.

Vulnerabilities Drive Attack Surge

Cyble Global Cybersecurity Report 2025 further highlighted that critical flaws in widely deployed enterprise technologies served as primary entry points. Among the most exploited were:

• CVE-2025-61882 (Oracle E-Business Suite RCE) – leveraged by CL0P
• CVE-2025-10035 (GoAnywhere MFT RCE) – exploited by Medusa
• Multiple vulnerabilities in Fortinet, Ivanti, and Cisco products with CVSS scores above 9.0

In total, 94 zero-day vulnerabilities were identified in 2025, with 25 scoring above 9.0. Over 86% of CISA’s Known Exploited Vulnerabilities catalog entries carried CVSS ratings of 7.0 or higher, with Microsoft, Fortinet, Apple, Cisco, and Oracle most frequently affected.

Geopolitical Hacktivism Surges

According to Cyble's global cybersecurity report 2025, hacktivist activity reached an unprecedented scale, with over 40,000 data leaks and dump posts impacting 41,400 unique domains. Much of this activity was driven by geopolitical conflicts:

• The Israel-Iran conflict triggered operations by 74 hacktivist groups
• India-Pakistan tensions generated 1.5 million intrusion attempts
• North Korea’s IT worker fraud schemes infiltrated global companies
• DDoS attacks, website defacements, and breaches targeted governments and critical infrastructure

Industry-Specific Insights

• Manufacturing: Most attacked sector due to reliance on OT/ICS environments and low tolerance for downtime
• Construction: Heavily targeted by Akira; time-sensitive projects created maximum pressure points
• Professional Services: Law firms and consultancies compromised for sensitive client data and supply chain leverage
• Healthcare: Continued to face attacks from groups like BianLian, Abyss, and INC Ransom due to critical data availability needs
• IT & ITES: Service providers exploited to enable cascading supply chain attacks against downstream customers

Outlook

The numbers from Cyble Global Cybersecurity Report 2025 highlight that ransomware is up by 50%, thousands of breaches, and a booming underground economy for compromised access. With critical infrastructure, government agencies, and high-value industries increasingly in the crosshairs, the Cyble global cybersecurity report 2025 highlights the urgency for global enterprises to strengthen defenses against a rapidly evolving threat landscape.

For a full analysis, the Global Cybersecurity Report 2025 is available at Cyble Research Reports.

Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability

The U.S. Department of Justice has unveiled a series of actions against two Russian state-supported cyber collectives, CARR (also known as CyberArmyofRussia_Reborn or CyberArmyofRussia) and NoName057(16), with prosecutors unsealing dual indictments against Ukrainian national Victoria Eduardovna Dubranova, 33. Dubranova, known online as “Vika,” “Tory,” and “SovaSonya,” is accused of participating in destructive campaigns against critical infrastructure worldwide on behalf of Russian geopolitical objectives.  Dubranova was extradited to the United States earlier in 2025 on charges tied to CARR, and she has now been arraigned on a second indictment connected to NoName057(16). She pleaded not guilty in both proceedings. Trial in the NoName057(16) case is scheduled for February 3, 2026, while the CARR case is set for April 7, 2026. 

Russian Government Involvement 

According to prosecutors, both CARR and NoName057(16) operated with direct or indirect support from Moscow. CARR allegedly received Russian government funding used to acquire cyber tools, including subscriptions to DDoS-for-hire services. NoName057(16) was described as a covert, state-blessed endeavor tied to the Center for the Study and Network Monitoring of the Youth Environment (CISM), an IT organization established in 2018 by presidential order in Russia. Employees of that organization reportedly helped build NoName057(16)’s proprietary DDoS software, known as DDoSia.  [caption id="" align="alignnone" width="2048"] Notification of CARR and Z-Pentest Hackers (Source: Rewards for Justice)[/caption] Assistant Attorney General for National Security John A. Eisenberg said the enforcement effort demonstrates the Department’s commitment “to disrupting malicious Russian cyber activity, whether conducted directly by state actors or their criminal proxies,” emphasizing the need to defend key resources such as food and water systems.  First Assistant U.S. Attorney Bill Essayli warned that state-aligned hacktivist groups, including CARR and NoName057(16), pose serious national security concerns because they enable foreign intelligence services to obscure their involvement by using civilian proxies.  FBI Cyber Division Assistant Director Brett Leatherman stated that the Bureau will continue exposing and pursuing pro-Russia actors, including those with ties to the GRU. EPA Acting Assistant Administrator Craig Pritzlaff added that targeting water systems presents immediate hazards, pledging continued pursuit of individuals who threaten public resources. 

Cyber Army of Russia Reborn (CARR / CyberArmyofRussia) 

According to the indictments, CARR, also known as Z-Pentest and linked to CyberArmyofRussia, was created, funded, and directed by Russia’s GRU. The group has claimed responsibility for hundreds of global cyberattacks, including intrusions into U.S. critical infrastructure. CARR regularly published evidence of its operations on Telegram, where it amassed more than 75,000 followers and reportedly consisted of over 100 members, some of whom were juveniles.  The group allegedly targeted industrial control systems and carried out widespread DDoS attacks. Victims included public drinking water systems in multiple U.S. states, where operational disruptions led to the release of hundreds of thousands of gallons of drinking water. In November 2024, CARR allegedly attacked a meat processing plant in Los Angeles, causing thousands of pounds of meat to spoil and triggering an ammonia leak. The group also targeted election infrastructure and websites linked to nuclear regulatory bodies.  A figure known as “Cyber_1ce_Killer,” associated with at least one GRU officer, allegedly advised CARR on target selection and financed access to cybercriminal services. Dubranova faces charges including conspiracy to damage protected computers, tampering with public water systems, damaging protected computers, access device fraud, and aggravated identity theft. The statutory maximum penalty is 27 years in federal prison. 

NoName057(16) 

The indictment describes NoName057(16) as a clandestine project involving CISM personnel and external cyber actors. The group conducted hundreds of DDoS attacks in support of Russian interests, using its proprietary tool DDoSia. Participants worldwide were encouraged to run DDoSia, with rankings published on Telegram and cryptocurrency rewards doled out to top performers.  Targets included government agencies, ports, rail systems, financial institutions, and other high-value operations. For Dubranova, the NoName057(16) indictment carries a single charge of conspiracy to damage protected computers, with a maximum penalty of five years.  The law enforcement actions form part of Operation Red Circus, with coordination from Europol’s Operation Eastwood. In July 2025, investigators across 19 countries disrupted more than 100 servers linked to NoName057(16). Authorities also arrested two members outside Russia, announced charges against five individuals, and conducted searches of two service providers and 22 group members. The FBI also suspended the group’s primary X account. 

Rewards and Prior Sanctions 

The State Department simultaneously announced rewards of up to $2 million for information on CARR / CyberArmyofRussia members and up to $10 million for intelligence on NoName057(16) actors. A Joint Cybersecurity Advisory released by multiple U.S. agencies warned that Russian-aligned hacktivist groups exploit insecure VNC connections to access critical operational technology devices, a tactic linked to physical damage in several incidents.  Federal action against CARR is longstanding. On July 19, 2024, the Treasury Department sanctioned Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko for cyber operations targeting U.S. infrastructure. Degtyarenko was accused of accessing a SCADA system belonging to a U.S. energy company and developing training materials on exploiting similar systems.  CARR’s attacks escalated in late 2023 and throughout 2024, including manipulations of unsecured industrial systems across water, hydroelectric, wastewater, and energy facilities in the U.S. and Europe. Water utilities in Indiana, New Jersey, and Texas were among the affected sites, with one town forced into manual operations. In January 2024, CARR published a video showing interference with human-machine interfaces at a U.S. water utility. 

On a cozy December morning, as children in Australia set their bags aside for the holiday season and held their tabs and phones in hand to take that selfie and announce to the world they were all set for the fun to begin, something felt a miss. They couldn't access their Snap Chat and Instagram accounts. No it wasn't another downtime caused by a cyberattack, because they could see their parents lounging on the couch and laughing at the dog dance reels. So why were they not able to? The answer: the ban on social media for children under 16 had officially taken effect. It wasn't just one or 10 or 100 but more than one million young users who woke up locked out of their social media. No TikTok scroll. No Snapchat streak. No YouTube comments. Australia had quietly entered a new era, the world’s first nationwide ban on social media for children under 16, effective December 10. The move has initiated global debate, parental relief, youth frustration, and a broader question: Is this the start of a global shift, or a risky social experiment? Prime Minister Anthony Albanese was clear about why his government took this unparalleled step. “Social media is doing harm to our kids, and I’m calling time on it,” he said during a press conference. “I’ve spoken to thousands of parents… they’re worried sick about the safety of our kids online, and I want Australian families to know that the Government has your back.” Under the Anthony Albanese social media policy, platforms including Instagram, Facebook, X, Snapchat, TikTok, Reddit, Twitch, Kick, Threads and YouTube must block users under 16, or face fines of up to AU$32 million. Parents and children won’t be penalized, but tech companies will. [caption id="attachment_107569" align="aligncenter" width="448"] Source: eSafety Commissioner[/caption]

Australia's Ban on Social Media: A Big Question

Albanese pointed to rising concerns about the effects of social media on children, from body-image distortion to exposure to inappropriate content and addictive algorithms that tug at young attention spans. [caption id="attachment_107541" align="aligncenter" width="960"] Source: Created using Google Gemini[/caption] Research supports these concerns. A Pew Research Center study found:

• 48% of teens say social media has a mostly negative effect on people their age, up sharply from 32% in 2022.
• 45% feel they spend too much time on social media.
• Teen girls experience more negative impacts than boys, including mental health struggles (25% vs 14%) and loss of confidence (20% vs 10%).
• Yet paradoxically, 74% of teens feel more connected to friends because of social media, and 63% use it for creativity.

These contradictions make the issue far from black and white. Psychologists remind us that adolescence, beginning around age 10 and stretching into the mid-20s, is a time of rapid biological and social change, and that maturity levels vary. This means that a one-size-fits-all ban on social media may overshoot the mark.

Ban on Social Media for Users Under 16: How People Reacted

Australia’s announcement, first revealed in November 2024, has motivated countries from Malaysia to Denmark to consider similar legislation. But not everyone is convinced this is the right way forward.

Supporters Applaud “A Chance at a Real Childhood”

Pediatric occupational therapist Cris Rowan, who has spent 22 years working with children, celebrated the move: “This may be the first time children have the opportunity to experience a real summer,” she said.“Canada should follow Australia’s bold initiative. Parents and teachers can start their own movement by banning social media from homes and schools.” Parents’ groups have also welcomed the decision, seeing it as a necessary intervention in a world where screens dominate childhood.

Others Say the Ban Is Imperfect, but Necessary

Australian author Geoff Hutchison puts it bluntly: “We shouldn’t look for absolutes. It will be far from perfect. But we can learn what works… We cannot expect the repugnant tech bros to care.” His view reflects a broader belief that tech companies have too much power, and too little accountability.

Experts Warn Against False Security 

However, some experts caution that the Australia ban on social media may create the illusion of safety while failing to address deeper issues. Professor Tama Leaver, Internet Studies expert at Curtin University, told The Cyber Express that while the ban on social media addresses some risks, such as algorithmic amplification of inappropriate content and endless scrolling, many online dangers remain.

“The social media ban only really addresses on set of risks for young people, which is algorithmic amplification of inappropriate content and the doomscrolling or infinite scroll. Many risks remain. The ban does nothing to address cyberbullying since messaging platforms are exempt from the ban, so cyberbullying will simply shift from one platform to another.”

Leaver also noted that restricting access to popular platforms will not drive children offline. Due to ban on social media young users will explore whatever digital spaces remain, which could be less regulated and potentially riskier.

“Young people are not leaving the digital world. If we take some apps and platforms away, they will explore and experiment with whatever is left. If those remaining spaces are less known and more risky, then the risks for young people could definitely increase. Ideally the ban will lead to more conversations with parents and others about what young people explore and do online, which could mitigate many of the risks.”

From a broader perspective, Leaver emphasized that the ban on social media will only be fully beneficial if accompanied by significant investment in digital literacy and digital citizenship programs across schools:

“The only way this ban could be fully beneficial is if there is a huge increase in funding and delivery of digital literacy and digital citizenship programs across the whole K-12 educational spectrum. We have to formally teach young people those literacies they might otherwise have learnt socially, otherwise the ban is just a 3 year wait that achieves nothing.”

He added that platforms themselves should take a proactive role in protecting children:

“There is a global appetite for better regulation of platforms, especially regarding children and young people. A digital duty of care which requires platforms to examine and proactively reduce or mitigate risks before they appear on platforms would be ideal, and is something Australia and other countries are exploring. Minimizing risks before they occur would be vastly preferable to the current processes which can only usually address harm once it occurs.”

Looking at the global stage, Leaver sees Australia ban on social media as a potential learning opportunity for other nations:

“There is clearly global appetite for better and more meaningful regulation of digital platforms. For countries considered their own bans, taking the time to really examine the rollout in Australia, to learn from our mistakes as much as our ambitions, would seem the most sensible path forward.”

Other specialists continue to warn that the ban on social media could isolate vulnerable teenagers or push them toward more dangerous, unregulated corners of the internet.

Legal Voices Raise Serious Constitutional Questions

Senior Supreme Court Advocate Dr. K. P. Kylasanatha Pillay offered a thoughtful reflection: “Exposure of children to the vagaries of social media is a global concern… But is a total ban feasible? We must ask whether this is a reasonable restriction or if it crosses the limits of state action. Not all social media content is harmful. The best remedy is to teach children awareness.” His perspective reflects growing debate about rights, safety, and state control.

LinkedIn, Reddit, and the Public Divide

Social media itself has become the battleground for reactions. On Reddit, youngesters were particularly vocal about the ban on social media. One teen wrote: “Good intentions, bad execution. This will make our generation clueless about internet safety… Social media is how teenagers express themselves. This ban silences our voices.” Another pointed out the easy loophole: “Bypassing this ban is as easy as using a free VPN. Governments don’t care about safety — they want control.” But one adult user disagreed: “Everyone against the ban seems to be an actual child. I got my first smartphone at 20. My parents were right — early exposure isn’t always good.” This generational divide is at the heart of the debate.

Brands, Marketers, and Schools Brace for Impact

Bindu Sharma, Founder of World One Consulting, highlighted the global implications: “Ten of the biggest platforms were ordered to block children… The world is watching how this plays out.” If the ban succeeds, brands may rethink how they target younger audiences. If it fails, digital regulation worldwide may need reimagining.

Where Does This Leave the World?

Australia’s decision to ban social media for children under 16 is bold, controversial, and rooted in good intentions. It could reshape how societies view childhood, technology, and digital rights. But as critics note, ban on social media platforms can also create unintended consequences, from delinquency to digital illiteracy. What’s clear is this: Australia has started a global conversation that’s no longer avoidable. As one LinkedIn user concluded: “Safety of the child today is assurance of the safety of society tomorrow.”

Recent data released by the National Crime Records Bureau (NCRB) paints a troubling picture of the rapid rise in cybercrime in India, particularly cases executed through mobile phones and computers.   The NCRB report notes that India recorded over 52,000 cybercrime incidents in 2021, a number that escalated to more than 86,000 by 2023. The Minister of State for Home Affairs, Bandi Sanjay Kumar, shared these figures in a written reply in the Rajya Sabha. 

Regional Trends Show Sharp Contrasts Across Northern India 

Haryana recorded 751 cybercrime cases in 2023, making it the highest among northern states, followed by Himachal Pradesh with 127 cases, a major jump from just 77 the previous year. Punjab, however, reported a decline, registering 511 cases in 2023 compared to 697 in 2022.  Among northern Union Territories, Delhi led with 407 cases, followed by Jammu & Kashmir with 185 and Chandigarh with 23. To strengthen cyber forensic capabilities, the Ministry of Home Affairs provided support to 20 states and UTs under the Nirbhaya-funded scheme. Punjab received ₹7.98 crore from 2018–19, while Himachal Pradesh received ₹7.29 crore. 

Ransomware Surge Places India and Asia-Pacific in a High-Risk Zone 

Beyond NCRB’s findings, rising digital threats in the Asia-Pacific region further illustrate the scale of cybercrime in India and neighboring countries. Cyble’s Monthly Threat Landscape Report: July 2025 reveals that India remains a priority target for ransomware groups. The Warlock ransomware group breached an India-based manufacturing firm, exfiltrating HR files, financial records, design archives, and internal repositories.   Additional leaks on dark web forums exposed stolen data from two Indian companies, a technology consulting firm and a subscription-based SaaS platform.  Unauthorized access to an Indian telecom network was also put up for sale for US$35,000, including credentials, CLI access, and operational network details. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims, with India and the Philippines close behind. The manufacturing, government, and critical infrastructure sectors faced the brunt of attacks. Meanwhile, South Asia witnessed hacktivist activity, with the pro-India Team Pelican Hackers claiming breaches of major Pakistani research and academic institutions.  Globally, July 2025 saw 423 ransomware victims, with the U.S. accounting for 223. Qilin ransomware topped global activity with 73 victims, followed by INC Ransom with 59. Cyble’s sensors also detected more than 1,000 daily attacks on U.S. industrial control systems, while the UK, Vietnam, China, Singapore, and Hong Kong recorded high targeting levels. A booming market for zero-day exploits added to the risk landscape, with vulnerabilities in WinRAR and leading VPN platforms being sold for USD $80,000 to 1 BTC. 

Insights from 2024 Call for Urgency of Cyber Preparedness 

Insights from the India Threat Landscape Report 2024 add critical context to the rising threat levels highlighted by the National Crime Records Bureau (NCRB). In the first half of 2024 alone, India recorded 593 cyberattacks, 388 data breaches, 107 data leaks, and 39 ransomware incidents, highlighting the need for stronger threat intelligence across tactical, operational, strategic, and technical layers.  Combined with Cyble’s observations on escalating ransomware activity, dark web exposure, and exploit markets, cybercrime in India is becoming the next big thing and demands a coordinated, intelligence-driven response.  Organizations seeking to stay protected from these threats can benefit from Cyble’s AI-powered threat intelligence ecosystem and autonomous security capabilities. Explore Cyble’s platform, experience Blaze AI, or schedule a free demo to strengthen your organization’s preparedness against modern-day cyber risks. 

India's Central Bureau of Investigation filed a chargesheet against 30 accused including two Chinese nationals who allegedly ran a cyber fraud network that siphoned over ₹1,000 crore (approximately US$112 million) from Indian investors through fake cryptocurrency mining platforms, loan apps, and bogus online job offers during the COVID-19 lockdown period.

The HPZ Token Investment Fraud case has exposed a well-coordinated transnational criminal syndicate that exploited India's emerging payment aggregation systems to launder proceeds at unprecedented speed through multiple shell companies before converting funds to cryptocurrency and transferring them overseas.

The fraud began when Shigoo Technology Pvt. Ltd., an entity owned and controlled by Chinese nationals, launched a fake mobile application titled "HPZ Tokens" claiming investments would be used for cryptocurrency mining yielding very high returns. Within just three months, crores were collected and diverted by fraudsters targeting vulnerable investors during pandemic lockdowns.

Chinese Nationals Directed Shell Company Network

Wan Jun served as director of Jilian Consultants India Private Limited, a subsidiary of Chinese entity Jilian Consultants. With help from accomplice Dortse, Wan Jun successfully created several shell companies including Shigoo Technologies that became conduits to collect and launder proceeds from major organized cyber frauds.

The second Chinese national charged, Li Anming, played key roles directing operations alongside Wan Jun. CBI investigation revealed these frauds were connected and controlled by a single organized criminal syndicate based overseas.

Jilian Consultants hired professionals including company secretaries and chartered accountants to create shell companies that helped them run the operation with ease. Money collected was converted into cryptocurrencies before being sent out of the country.

Also read: CBI Arrests Fugitive Cybercrime Kingpin, Busts Fifth Illegal Call Center Targeting US Nationals

Exploitation of Payment Aggregators

The investigation revealed misuse of payment aggregation systems that had just taken off in India at the time of the Covid-19 pandemic. Payment aggregators were providing large collection and money disbursal services using technology to genuine companies, with systems allowing users to access large numbers of bank accounts simultaneously.

Fraudsters exploited this well-structured payment infrastructure to launder money at high speed from accounts of one shell company to another. The system also allowed them to partially disburse money back to investors to gain confidence, sustaining the fraud scheme longer.

Total money moved from bank accounts of these companies surpassed ₹1,000 crore within just a few months.

Ongoing Investigation in Cyber Fraud Network

CBI initially arrested six people named Dortse, Rajni Kohli, Sushanta Behra, Abhishek, Mohd Imdhad Husain, and Rajat Jain. The agency has now filed chargesheet against 27 accused persons and three companies, with further investigation continuing against other suspects.

The investigation revealed this was not an isolated incident but part of a large cyber crime network responsible for several scams targeting Indian citizens in the post-COVID period using loan apps, fake investment platforms, and bogus online job offers.

"The CBI remains steadfast in its unwavering commitment to dismantling these sophisticated cyber fraud networks through relentless operations like Chakra-V," the agency said. The CBI will continue to fortify India's digital economy, protect vulnerable investors, execute targeted arrests, seize assets, and forge international collaborations."

Also read: Indo-U.S. Agencies Dismantle Cybercrime Network Targeting U.S. Nationals

Reporters Without Borders (RSF) has determined that a phishing operation targeting the organization in early 2025 was carried out by a group associated with Russia’s Federal Security Service (FSB). The RSF cyberattack conclusion follows a months-long technical investigation conducted with the support of French cybersecurity firm Sekoia.   According to RSF, the attempted RSF cyberattack was first identified in March 2025 when an employee received a message written in French that appeared to come from a trusted contact. The email requested the recipient to open an attachment that was, in fact, missing, an established phishing technique designed to prompt a reply, allowing attackers to later send infected documents or malicious links.  

The Failed RSF Cyberattack

When the response from the supposed sender arrived in English instead of French, the inconsistency raised immediate suspicion. The employee reported the exchange to RSF’s cybersecurity team, preventing the RSF cyberattack from progressing.  RSF then sought Sekoia’s assistance to conduct a deeper inquiry. The company later published a detailed account attributing the attack to the group known as Callisto or Calisto, also identified as UNC4057, Star Blizzard, or ColdRiver. Intelligence agencies in the United States, the United Kingdom, New Zealand, and Australia have connected this group to the FSB. Sekoia describes Callisto as an advanced persistent threat capable of maintaining hidden, long-term access to targeted information systems. 

Kremlin Pressure and Designation as an “Undesirable Organization” 

In its statement, Reporters Without Borders noted that the organization frequently faces digital interference from Russian state services and pro-Kremlin actors. RSF has long been involved in defending press freedom in Russia and supporting journalists fleeing the country, making it a recurring target of Russian-linked operations.  RSF Director of Advocacy and Assistance Antoine Bernard said the March attack was not accidental. “RSF, which defends global press freedom and actively assists Russian journalists fleeing their country, is a regular target of the Kremlin and the constellation surrounding Vladimir Putin’s regime,” he stated. Bernard added that this incident was one of multiple politically motivated operations directed at the organization in recent months. In August 2025, Russian authorities escalated their pressure by officially declaring RSF an “undesirable organization,” exposing anyone connected to it to prison sentences of up to four years under Russian law.  RSF Chief Information Security Officer Nicolas Diaz emphasized ongoing cybersecurity challenges. “In the face of cyberthreats, RSF benefits from cutting-edge technical solutions as well as external expertise capable of detecting and characterizing the cyberoperations that target us,” he explained. Diaz highlighted the need to strengthen cyber defense capabilities and ensure users recognize the subtle warning signs that often precede an attempted intrusion we saw in the RSF cyberattack.

Disinformation Campaigns and Broader Press Freedom Concerns 

RSF reported that the phishing operation fits into a larger pattern of attempts to undermine its work. In March 2025, the NGO denounced a disinformation campaign that used doctored videos falsely claiming to show statements by RSF leadership. A year earlier, in 2024, RSF filed a complaint against platform X (previously Twitter) after repeated posts containing disinformation against the organization remained unaddressed.   Among the most notable examples was a fabricated BBC-style video alleging that RSF had produced a study accusing Ukrainian soldiers of harboring Nazi sympathies. This false content was later circulated by Russian authorities and amplified by pro-Kremlin influencers.  The organization released its annual press freedom report, stating that Russia currently detains more foreign journalists than any other country. RSF also co-led an investigation into the final weeks of Ukrainian freelance journalist Viktoria Roshchyna, 27, who died in Russian captivity in 2024. According to the report, only Israel and organized crime groups were responsible for more journalist deaths worldwide in 2025. 

Coupang CEO Resigns, a headline many in South Korea expected, but still signals a major moment for the country’s tech and e-commerce landscape. Coupang Corp. confirmed on Wednesday that its CEO, Park Dae-jun, has stepped down following a massive Coupang data breach that exposed the personal information of 33.7 million people, almost two-thirds of the country. Park said he was “deeply sorry” for the incident and accepted responsibility both for the breach and for the company’s response. His exit, while formally described as a resignation, is widely seen as a forced departure given the scale of the fallout and growing anger among customers and regulators. To stabilize the company, Coupang’s U.S. parent, Coupang Inc., has appointed Harold Rogers, its chief administrative officer and general counsel, as interim CEO. The parent company said the leadership change aims to strengthen crisis management and ease customer concerns.

What Happened in the Coupang Data Breach

The company clarified that the latest notice relates to the previously disclosed incident on November 29 and that no new leak has occurred. According to Coupang’s ongoing investigation, the leaked information includes:

• Customer names and email addresses
• Full shipping address book details, such as names, phone numbers, addresses, and apartment entrance access codes
• Portions of the order information

Coupang emphasized that payment details, passwords, banking information, and customs clearance codes were not compromised. As soon as it identified the leak, the company blocked abnormal access routes and tightened internal monitoring. It is now working closely with the Ministry of Science and ICT, the National Police Agency, the Personal Information Protection Commission (PIPC), the Korea Internet & Security Agency (KISA), and the Financial Supervisory Service.

Phishing, Smishing, and Impersonation Alerts

Coupang warned customers to be extra cautious as leaked data can fuel impersonation scams. The company reminded users that:

• Coupang never asks customers to install apps via phone or text.
• Unknown links in messages should not be opened.
• Suspicious communications should be reported to 112 or the Financial Supervisory Service.
• Customers must verify messages using Coupang’s official customer service numbers.

Users who stored apartment entrance codes in their delivery address book were also urged to change them immediately. The company also clarified that delivery drivers rarely call customers unless necessary to access a building or resolve a pickup issue, a small detail meant to help people recognize potential scam attempts.

Coupang CEO Resigns as South Korea Toughens Cyber Rules

The departure of CEO Park comes at a time when South Korea is rethinking how corporations respond to data breaches. The government’s 2025 Comprehensive National Cybersecurity Strategy puts direct responsibility on CEOs for major security incidents. It also expands CISOs' authority, strengthens IT asset management requirements, and gives chief privacy officers greater influence over security budgets. This shift follows other serious breaches, including SK Telecom’s leak of 23 million user records, which led to a record 134.8 billion won fine. Regulators are now considering fines of up to 1.2 trillion won for Coupang, roughly 3% of its annual sales, under the Personal Information Protection Act. The company also risks losing its ISMS-P certification, a possibility unprecedented for a business of its size.

Industry Scramble After a Coupang Data Breach of This Scale

A Coupang Data breach affecting tens of millions of people has sent shockwaves across South Korea’s corporate sector. Authorities have launched emergency inspections of 1,600 ISMS-certified companies and begun unannounced penetration tests. Security vendors say Korean companies are urgently adding multi-factor authentication, AI-based anomaly detection, insider threat monitoring, and stronger access controls. Police naming a former Chinese Coupang employee as a suspect has intensified focus on insider risk. Government agencies, including the National Intelligence Service, are also working with private partners to shorten cyber-incident analysis times from 14 days to 5 days using advanced AI forensic labs.

Looking Ahead

With the Coupang CEO's resignation development now shaping the company’s crisis trajectory, Coupang faces a long road to rebuilding trust among users and regulators. The company says its teams are working to resolve customer concerns quickly, but the broader lesson is clear: cybersecurity failures now carry real consequences, including at the highest levels of leadership.

Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.  The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network. The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service. 

Hundreds of Legal Proceedings Underway Following the HSE Cyberattack 

As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”  According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.  The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.  As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”  In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period. 

Cybersecurity Overhaul Following the Conti Attack 

Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE. The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.  The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms. 

Australia’s world-first social media ban for children under age 16 takes effect on December 10, leaving kids scrambling for alternatives and the Australian government with the daunting task of enforcing the ambitious ban. What is the Australian social media ban, who and what services does it cover, and what steps can affected children take? We’ll cover all that, plus the compliance and enforcement challenges facing both social media companies and the Australian government – and the move toward similar bans in other parts of the world.

Australian Social Media Ban Supported by Most – But Not All

In September 2024, Prime Minister Anthony Albanese announced that his government would introduce legislation to set a minimum age requirement for social media because of concerns about the effect of social media on the mental health of children. The amendment to the Online Safety Act 2021 passed in November 2024 with the overwhelming support of the Australian Parliament. The measure has met with overwhelming support – even as most parents say they don’t plan to fully enforce the ban with their children. The law already faces a legal challenge from The Digital Freedom Project, and the Australian Financial Review reported that Reddit may file a challenge too. Services affected by the ban – which proponents call a social media “delay” – include the following 10 services:

• Facebook
• Instagram
• Kick
• Reddit
• Snapchat
• Threads
• TikTok
• Twitch
• X
• YouTube

Those services must take steps by Wednesday to remove accounts held by users under 16 in Australia and prevent children from registering new accounts. Many services began to comply before the Dec. 10 implementation date, although X had not yet communicated its policy to the government as of Dec. 9, according to The Guardian. Companies that fail to comply with the ban face fines of up to AUD $49.5 million, while there are no penalties for parents or children who fail to comply.

Opposition From a Wide Range of Groups - And Efforts Elsewhere

Opposition to the law has come from a range of groups, including those concerned about the privacy issues resulting from age verification processes such as facial recognition and assessment technology or use of government IDs. Others have said the ban could force children toward darker, less regulated platforms, and one group noted that children often reach out for mental health help on social media. Amnesty International also opposed the ban. The international human rights group called the ban “an ineffective quick fix that’s out of step with the realities of a generation that lives both on and offline.” Amnesty said strong regulation and safeguards would be a better solution. “The most effective way to protect children and young people online is by protecting all social media users through better regulation, stronger data protection laws and better platform design,” Amnesty said. “Robust safeguards are needed to ensure social media platforms stop exposing users to harms through their relentless pursuit of user engagement and exploitation of people’s personal data. “Many young people will no doubt find ways to avoid the restrictions,” the group added. “A ban simply means they will continue to be exposed to the same harms but in secret, leaving them at even greater risk.” Even the prestigious medical journal The Lancet suggested that a ban may be too blunt an instrument and that 16-year-olds will still face the same harmful content and risks. Jasmine Fardouly of the University of Sydney School of Psychology noted in a Lancet commentary that “Further government regulations and support for parents and children are needed to help make social media safe for all users while preserving its benefits.” Still, despite the chorus of concerns, the idea of a social media ban for children is catching on in other places, including the EU and Malaysia.

Australian Children Seek Alternatives as Compliance Challenges Loom

The Australian social media ban leaves open a range of options for under-16 users, among them Yope, Lemon8, Pinterest, Discord, WhatsApp, Messenger, iMessage, Signal, and communities that have been sources of controversy such as Telegram and 4chan. Users have exchanged phone numbers with friends and other users, and many have downloaded their personal data from apps where they’ll be losing access, including photos, videos, posts, comments, interactions and platform profile data. Many have investigated VPNs as a possible way around the ban, but a VPN is unlikely to work with an existing account that has already been identified as an underage Australian account. In the meantime, social media services face the daunting task of trying to confirm the age of account holders, a process that even Albanese has acknowledged “won’t be 100 per cent perfect.” There have already been reports of visual age checks failing, and a government-funded report released in August admitted the process will be imperfect. The government has published substantial guidance for helping social media companies comply with the law, but it will no doubt take time to determine what “reasonable steps” to comply look like. In the meantime, social media companies will have to navigate compliance guidance like the following passage: “Providers may choose to offer the option to end-users to provide government-issued identification or use the services of an accredited provider. However, if a provider wants to employ an age assurance method that requires the collection of government-issued identification, then the provider must always offer a reasonable alternative that doesn’t require the collection of government-issued identification. A provider can never require an end-user to give government-issued identification as the sole method of age assurance and must always give end-users an alternative choice if one of the age assurance options is to use government-issued identification. A provider also cannot implement an age assurance system which requires end-users to use the services of an accredited provider without providing the end-user with other choices.”  

The 6th edition of the NIS Investments report highlights a realignment in how organizations across the European Union allocate their cybersecurity investments, with funding steadily shifting from staffing toward technologies and outsourced services. The findings come from ENISA’s annual survey, which examines how EU cybersecurity policy, particularly the NIS2 Directive, translates into practice and influences operational decisions, resources, and long-term planning.  ENISA Executive Director Juhan Lepassaar highlighted the study’s importance, stating: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support, and inform our recommendations for the future.”  For last year’s cycle, the survey gathered responses from 1,080 public and private organizations across all EU Member States. The sample represented sectors deemed highly critical under the NIS2 Directive.   Large enterprises made up 83% of respondents, while 17% were SMEs, allowing comparisons between organizations with very different resource structures. A detailed data companion was published alongside the main report, offering both sector-based and Member State views for deeper analysis. 

Cybersecurity Investment Becomes a Priority

Compared to last year, overall cybersecurity investments remained stable, averaging 9% of IT budgets with a median spend of 1.5 million euros. However, the data shows a clear pivot away from expanding internal cybersecurity teams and toward enhanced technology stacks and outsourced services. This shift marks one of the report’s central trends.  The cyber talent shortage remains a defining challenge across the EU. Organisations reported persistent difficulties in attracting (76%) and retaining (71%) cybersecurity professionals. High turnover, limited talent availability, and competitive hiring conditions continue to widen the workforce gap, prompting organizations to reassess staffing models and increase reliance on external support.  Compliance, especially related to NIS2, is still the main catalyst behind cybersecurity investments, cited by 70% of organizations. Yet the report notes that these efforts produce benefits beyond regulatory adherence. Respondents pointed to improvements in risk management (41%), detection capability (35%), and incident response (26%). Future investment priorities include upgrading cybersecurity tools, strengthening recovery processes, and improving internal skills development. 

NIS2 Implementation is Essential but Difficult 

While NIS2 is prompting organizations to raise their cybersecurity baseline, the directive implementation poses challenges across multiple domains. Entities reported obstacles in patching (50%), business continuity (49%), and supply-chain risk management (37%). Larger organizations struggle with harmonizing approaches and transitioning from legacy systems, while SMEs face barriers such as limited guidance, high tooling costs, and insufficient skills.  The report reveals ongoing difficulty in timely patching and conducting security assessments. Nearly one in three organizations had not performed a cybersecurity assessment in the previous 12 months. Additionally, 28% require more than three months to patch critical vulnerabilities, a pressing issue given that vulnerability exploitation remains a leading attack vector. SMEs face the steepest hurdles, with 63% struggling with testing and 51% with patching. 

Supply-Chain Exposure Rising 

As supply-chain risk management slowly improves, dependence on outsourced ICT and security services continues to introduce vulnerabilities, especially when suppliers are SMEs with limited resources. Supply-chain and third-party compromises were identified as the second most concerning future threat (47%), aligning with trends in the ENISA Threat Landscape report, which notes a rise in attacks targeting cyber dependencies.  Organizations cited DoS attacks as the most disruptive to daily operations, yet ransomware (55%), supply-chain attacks (47%), and phishing (35%) dominate long-term concerns. SMEs consistently reported the lowest confidence in their ability to prepare for, withstand, and recover from cyber incidents across any threat category.  Findings from the NIS Investments report feed into several ENISA initiatives, including the NIS360 assessment of sectoral maturity, the EU Cybersecurity Index, and the State of Cybersecurity in the Union report. These insights help refine policy recommendations and guide future actions to strengthen the EU’s overall cyber resilience. 

Polish police have detained three Ukrainian citizens after discovering a cache of sophisticated hacking and spy-detection equipment in their vehicle. The men, aged 39, 42, and 43, were stopped by officers from the Warsaw Śródmieście district during a routine traffic control on Senatorska Street. The investigation revealed tools capable of interfering with IT systems and committing serious cyber-related crimes. During the stop, the officers checked the men’s identification and noticed signs of nervousness. In interviews, the suspects admitted to "traveling around Europe," having just arrived in Poland and planning to head to Lithuania. The vehicle was subsequently searched thoroughly, uncovering a range of equipment including:

• Advanced FLIPPER hacking tools
• Spy device detectors
• Antennas capable of disrupting IT systems
• Laptops and portable hard drives
• SIM cards and routers
• Cameras and other electronic devices

The items were considered potentially dangerous to the country’s strategic IT and telecommunications infrastructure.

Evidence Analysis and Investigation by Polish police

All seized electronic devices were handed over to the Warsaw Central Bureau for Combating Cybercrime (CBZC) for examination. Although the data storage devices were encrypted, investigators were able to decode and gather evidence thanks to swift action from the CBZC. During further questioning, the suspects claimed to be IT specialists. However, their answers were inconsistent, and they struggled to explain the purpose of the equipment. At times, they pretended not to understand English when asked specific questions. Criminal investigators from Warsaw’s Property Crime Department are exploring the circumstances surrounding their entry into Poland, their travel intentions, and the potential use of the seized devices. The case remains under active investigation.

Charges and Court Action

The three men face multiple charges including:

• Fraud
• Computer fraud
• Possession of devices and computer programs adapted for criminal activities
• Attempted damage of computer data of particular importance to national defense

Following the investigation, the Warsaw Śródmieście-Północ District Prosecutor’s Office requested preventive measures, and the court granted three-month pretrial detention for all three suspects. The proceedings continue under the supervision of the District Prosecutor’s Office.

Police Statement and Context

Polish police emphasized their ongoing efforts to protect national security and public safety. Officers from the Intelligence and Patrol Department of the Warsaw I District Police Headquarters demonstrated rapid and professional response, highlighting the importance of vigilance in detecting potential threats posed by individuals carrying specialized IT and surveillance equipment. The authorities are exploring all possible scenarios regarding the suspects’ activities in Poland and across Europe, and the case underscores growing concerns about cross-border cybercrime and the misuse of advanced digital technologies for illegal purposes.

A security issue disclosed in the Apache Tika document-processing framework has proved broader and more serious than first believed. The project’s maintainers have issued a new advisory revealing that a flaw previously thought to be limited to a single PDF-processing component extends across several Tika modules, widening the scope of a vulnerability first publicized in mid-2025. 

Initial Disclosure and the Limits of CVE-2025-54988 

The original flaw, listed as CVE-2025-54988 and published in August with a severity rating of 8.4, was traced to the tika-parser-pdf-module used to process PDFs in Apache Tika from versions 1.13 through 3.2.1. Tika, a tool designed to extract and standardize content from more than 1,000 proprietary file formats, has long been a target for attacks involving XML External Entity (XXE) injection, a recurring risk in software that parses complex document formats.  According to the original CVE description, the weakness allowed attackers to hide XML Forms Architecture (XFA) instructions inside a malicious PDF. When processed, these instructions could enable an XXE injection attack, potentially letting an attacker “read sensitive data or trigger malicious requests to internal resources or third-party servers.” The vulnerability also created a pathway for data exfiltration through Tika’s own processing pipeline, with no outward indication that data was leaking. 

New CVE Expands Affected Components and Severity 

Project maintainers now report that the PDF parser was not the only vulnerable entry point. A new advisory issued on 4 December 2025 by Tim Allison on the Tika mailing list confirms that the issue affects additional components. The newly disclosed CVE-2025-66516, rated at a maximum severity of 10.0, expands the scope to include: 

• Apache Tika core (tika-core) versions 1.13 through 3.2.1 
• Apache Tika parsers (tika-parsers) versions 1.13 through 1.28.5 
• Apache Tika PDF parser module (tika-parser-pdf-module) versions 2.0.0 through 3.2.1 

The maintainers note two reasons for issuing a second CVE. First, although the vulnerability was detected via the PDF parser, the underlying flaw and its fix were located in tika-core. This means that users who updated only the PDF parser after the initial disclosure but did not update Tika core to version 3.2.2 or later remain exposed. Second, earlier Tika versions housed the PDFParser class within the tika-parsers module, which was not included in the initial CVE despite being vulnerable. The advisory states that CVE-2025-66516 “covers the same vulnerability as in CVE-2025-54988,” but widens the list of affected packages to ensure users understand the full extent of the risk. 

Impact, Exploitation Risk, and Recommended Mitigation 

As of early December, maintainers say they have no evidence that attackers are exploiting the weakness in real-world campaigns. Still, the potential for rapid exploitation remains high, particularly if proofs-of-concept or reverse-engineered attack samples begin circulating.  To eliminate the vulnerability, users are instructed to update to: 

• tika-core 3.2.2 
• tika-parser-pdf-module 3.2.2 
• tika-parsers 2.0.0 (for legacy users) 

The maintainers warn that patching may be insufficient in environments where Apache Tika is used indirectly or embedded within other applications. Its presence is not always clearly documented, creating blind spots for developers. The advisory notes that disabling XML parsing via tika-config.xml is the only mitigation for teams uncertain about where Tika may be running. 

The UK’s National Cyber Security Centre (NCSC) has issued a fresh warning about the growing threat of prompt injection, a vulnerability that has quickly become one of the biggest security concerns in generative AI systems. First identified in 2022, prompt injection refers to attempts by attackers to manipulate large language models (LLMs) by inserting rogue instructions into user-supplied content. While the technique may appear similar to the long-familiar SQL injection flaw, the NCSC stresses that comparing the two is not only misleading but potentially harmful if organisations rely on the wrong mitigation strategies.

Why Prompt Injection Is Fundamentally Different

SQL injection has been understood for nearly three decades. Its core issue, blurring the boundary between data and executable instructions, has well-established fixes such as parameterised queries. These protections work because traditional systems draw a clear distinction between “data” and “instructions.” The NCSC explains that LLMs do not operate in the same way. Under the hood, a model doesn’t differentiate between a developer’s instruction and a user’s input; it simply predicts the most likely next token. This makes it inherently difficult to enforce any security boundary inside a prompt. In one common example of indirect prompt injection, a candidate’s CV might include hidden text instructing a recruitment AI to override previous rules and approve the applicant. Because an LLM treats all text the same, it can mistakenly follow the malicious instruction. This, according to the NCSC, is why prompt injection attacks consistently appear in deployed AI systems and why they are ranked as OWASP’s top risk for generative AI applications.

Treating LLMs as an ‘Inherently Confusable Deputy’

Rather than viewing prompt injection as another flavour of classic code injection, the NCSC recommends assessing it through the lens of a confused deputy problem. In such vulnerabilities, a trusted system is tricked into performing actions on behalf of an untrusted party. Traditional confused deputy issues can be patched. But LLMs, the NCSC argues, are “inherently confusable.” No matter how many filters or detection layers developers add, the underlying architecture still offers attackers opportunities to manipulate outputs. The goal, therefore, is not complete elimination of risk, but reducing the likelihood and impact of attacks.

Key Steps to Building More Secure AI Systems

The NCSC outlines several principles aligned with the ETSI baseline cybersecurity standard for AI systems: 1. Raise Developer and Organisational Awareness Prompt injection remains poorly understood, even among seasoned engineers. Teams building AI-connected systems must recognise it as an unavoidable risk. Security teams, too, must understand that no product can completely block these attacks; risk has to be managed through careful design and operational controls. 2. Prioritise Secure System Design Because LLMs can be coerced into using external tools or APIs, designers must assume they are manipulable from the outset. A compromised prompt could lead an AI assistant to trigger high-privilege actions, effectively handing those tools to an attacker. Researchers at Google, ETH Zurich, and independent security experts have proposed architectures that constrain the LLM’s authority. One widely discussed principle: if an LLM processes external content, its privileges should drop to match the privileges of that external party. 3. Make Attacks Harder to Execute Developers can experiment with techniques that separate “data” from expected “instructions”, for example, wrapping external input in XML tags. Microsoft’s early research shows these techniques can raise the barrier for attackers, though none guarantee total protection. The NCSC warns against simple deny-listing phrases such as “ignore previous instructions,” since attackers can easily rephrase commands. 4. Implement Robust Monitoring A well-designed system should log full inputs, outputs, tool integrations, and failed API calls. Because attackers often refine their attempts over time, early anomalies, like repeated failed tool calls, may provide the first signs of an emerging attack.

A Warning for the AI Adoption Wave

The NCSC concludes that relying on SQL-style mitigations would be a serious mistake. SQL injection saw its peak in the early 2010s after widespread adoption of database-driven applications. It wasn’t until years of breaches and data leaks that secure defaults finally became standard. With generative AI rapidly embedding itself into business workflows, the agency warns that a similar wave of exploitation could occur, unless organisations design systems with prompt injection risks front and center.

AI browsers may be innovative, but they’re “too risky for general adoption by most organizations,” Gartner warned in a recent advisory to clients. The 13-page document, by Gartner analysts Dennis Xu, Evgeny Mirolyubov and John Watts, cautions that AI browsers’ ability to autonomously navigate the web and conduct transactions “can bypass traditional controls and create new risks like sensitive data leakage, erroneous agentic transactions, and abuse of credentials.” Default AI browser settings that prioritize user experience could also jeopardize security, they said. “Sensitive user data — such as active web content, browsing history, and open tabs — is often sent to the cloud-based AI back end, increasing the risk of data exposure unless security and privacy settings are deliberately hardened and centrally managed,” the analysts said. “Gartner strongly recommends that organizations block all AI browsers for the foreseeable future because of the cybersecurity risks identified in this research, and other potential risks that are yet to be discovered, given this is a very nascent technology,” they cautioned.

AI Browsers’ Agentic Capabilities Could Introduce Security Risks: Analysts

The researchers largely ignored risks posed by AI browsers’ built-in AI sidebars, noting that LLM-powered search and summarization functions “will always be susceptible to indirect prompt injection attacks, given that current LLMs are inherently vulnerable to such attacks. Therefore, the cybersecurity risks associated with an AI browser’s built-in AI sidebar are not the primary focus of this research.” Still, they noted that use of AI sidebars could result in sensitive data leakage. Their focus was more on the risks posed by AI browsers’ agentic and autonomous transaction capabilities, which could introduce new security risks, such as “indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website.” AI browsers could also leak sensitive data that users are currently viewing to their cloud-based service back end, they noted.

Analysts Focus on Perplexity Comet

An AI browser’s agentic transaction capability “is a new capability that differentiates AI browsers from third-party conversational AI sidebars and basic script-based browser automation,” the analysts said. Not all AI browsers support agentic transactions, they said, but two prominent ones that do are Perplexity Comet and OpenAI’s ChatGPT Atlas. The analysts said they’ve performed “a limited number of tests using Perplexity Comet,” so that AI browser was their primary focus, but they noted that “ChatGPT Atlas and other AI browsers work in a similar fashion, and the cybersecurity considerations are also similar.” Comet’s documentation states that the browser “may process some local data using Perplexity’s servers to fulfill your queries. This means Comet reads context on the requested page (such as text and email) in order to accomplish the task requested.” “This means sensitive data the user is viewing on Comet might be sent to Perplexity’s cloud-based AI service, creating a sensitive data leakage risk,” the analysts said. Users likely would view more sensitive data in a browser than they would typically enter in a GenAI prompt, they said. Even if an AI browser is approved, users must be educated that “anything they are viewing could potentially be sent to the AI service back end to ensure they do not have highly sensitive data active on the browser tab while using the AI browser’s sidebar to summarize or perform other autonomous actions,” the Gartner analysts said. Employees might also be tempted to use AI browsers to automate tasks, which could result in “erroneous agentic transactions against internal resources as a result of the LLM’s inaccurate reasoning or output content.”

AI Browser Recommendations

Gartner said employees should be blocked from accessing, downloading and installing AI browsers through network and endpoint security controls. “Organizations with low risk tolerance must block AI browser installations, while those with higher-risk tolerance can experiment with tightly controlled, low-risk automation use cases, ensuring robust guardrails and minimal sensitive data exposure,” they said. For pilot use cases, they recommended disabling Comet’s “AI data retention” setting so that Perplexity can’t use employee searches to improve their AI models. Users should also be instructed to periodically perform the “delete all memories” function in Comet to minimize the risk of sensitive data leakage.  

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

Google and Apple have released new global cyber threat notifications, alerting users across dozens of countries to potential targeting by state-linked hackers. The latest warnings reflect growing concerns about government-backed surveillance operations and the expanding commercial spyware marketplace.  Both companies confirmed that the alerts were sent this week as part of their ongoing efforts to protect users from digital espionage. The warnings are tied to commercial surveillance firms, including Intellexa, which has been repeatedly linked to high-end spyware deployments around the globe. 

Apple Sends Warning Across More than 80 Countries 

Apple stated that its newest set of threat notifications was dispatched on December 2, though the company declined to identify the number of affected users or the specific actors involved. These warnings are triggered when technical evidence indicates that individuals are being deliberately targeted by advanced hacking techniques believed to be connected to state agencies or their contractors.  While Apple did not specify locations for this week’s alerts, it confirmed that, since the initiative began, users in more than 150 countries have received similar warnings. This aligns with the company’s broader strategy of alerting customers when activity consistent with state-directed surveillance operations is detected. 

Google Reports Intellexa Spyware Targeting Several Hundred Accounts 

Google also announced that it had notified “several hundred accounts” identified as being targeted by spyware developed by Intellexa, a surveillance vendor sanctioned by the United States. According to Google’s threat intelligence team, the attempted compromises spanned a wide geographic range. Users in Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan were among those affected. 

Also read: Sanctioned Spyware Vendor Used iOS Zero-Day Exploit Chain Against Egyptian Targets

The tech giant stated that Intellexa has continued to operate and adapt its tools despite U.S. sanctions. Executives associated with the company did not respond to inquiries about the allegations. Google also noted that this round of alerts covered people in more than 80 countries, stressing the nature of the attempted intrusions by state-linked hackers.

Rising Scrutiny of Commercial Spyware 

The latest notifications from Google and Apple are part of a bigger concern surrounding the global spyware industry. Both companies have repeatedly warned that commercial surveillance tools, particularly those sold to government clients, are becoming increasingly common in targeting journalists, activists, political figures, and other high-risk individuals.  Previous disclosures from Apple and Google have already prompted official scrutiny. The European Union has launched investigations in past cases, especially after reports that senior EU officials were targeted with similar spyware technologies. These inquiries often expand into broader examinations of cross-border surveillance practices and the companies that supply such tools. 

Also read: Leaked Files Expose Intellexa’s Remote Access to Customer Systems and Live Surveillance Ops

Tech Firms Decline to Name Specific Attackers 

Despite the breadth of the new alerts, neither Google nor Apple offered details about the identities of the actors behind the latest attempts. Apple also declined to describe the nature of the malicious activity detected. Both companies stress that withholding technical specifics is common when dealing with state-linked hackers, as revealing investigative methods could interfere with ongoing monitoring operations.  Although the exact attackers remain unnamed, the alerts demonstrate a global distribution of spyware activity. Google’s identification of affected users across multiple continents, along with Apple’s acknowledgment of notifications issued in over 150 countries over time, shows that the threat posed by government-aligned surveillance groups continues to expand. 

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira.

LockBit 'Fully Reactivated'

Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments.

LockBit Victims, Sectors and Targeted Countries

One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.  According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.  “Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation. 

Ongoing Attacks Traced to a Single IP Address 

JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.   The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released. 

No Evidence Linking to Past Exploits of CVE-2023-28461 

The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.  Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461. 

Affected Versions and Required Updates 

The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.  JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot. 

Workarounds 

For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps: 

• Disable all DesktopDirect services if the feature is not actively in use. 

• Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads. 

These measures aim to reduce exposure until patching becomes feasible.  In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.

The cycle of vulnerability disclosure and weaponization has shattered records once again. According to a new threat intel from Amazon Web Services (AWS), state-sponsored hacking groups linked to China began actively exploiting a critical vulnerability nicknamed "React2Shell," in popular web development frameworks mere hours after its public release.

The React2Shell vulnerability, tracked as CVE-2025-55182, affects React Server Components in React 19.x and Next.js versions 15.x and 16.x when using the App Router. The flaw carries the maximum severity score of 10.0 on the CVSS scale, enabling unauthenticated remote code execution (RCE).

The Rapid Weaponization Race

The vulnerability was publicly disclosed on Wednesday, December 3. AWS threat intelligence teams, monitoring their MadPot honeypot infrastructure, detected exploitation attempts almost immediately.

The threat actors identified in the flurry of activity are linked to known China state-nexus cyber espionage groups, including:

• Earth Lamia: Known for targeting financial services, logistics, and government organizations across Latin America, the Middle East, and Southeast Asia.

• Jackpot Panda: A group typically focused on East and Southeast Asian entities, often aligned with domestic security interests.

"China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure," stated an AWS Security Blog post announcing the findings.

The speed of operation showcased how the window between public disclosure and active attack is now measured in minutes, not days.

Also read: China-linked RedNovember Campaign Shows Importance of Patching Edge Devices

Hacker's New Strategy of Speed Over Precision

The AWS analysis also revealed a crucial insight into modern state-nexus tactics that threat groups are prioritizing volume and speed over technical accuracy.

Investigators observed that many attackers were attempting to use readily available, but often flawed, public Proof-of-Concept (PoC) exploits pulled from the GitHub security community. These PoCs frequently demonstrated fundamental technical misunderstandings of the flaw.

Despite the technical inadequacy, threat actors are aggressively throwing these PoCs at thousands of targets in a "volume-based approach," hoping to catch the small percentage of vulnerable configurations. This generates significant noise in logs but successfully maximizes their chances of finding an exploitable weak link.

Furthermore, attackers were not limiting their focus, simultaneously attempting to exploit other recent vulnerabilities, demonstrating a systematic, multi-pronged campaign to compromise targets as quickly as possible.

Call for Patching

While AWS has deployed automated protections for its managed services and customers using AWS WAF, the company is issuing an urgent warning to any entity running React or Next.js applications in their own environments (such as Amazon EC2 or containers).

The primary mitigation remains immediate patching.

"These protections aren't substitutes for patching," AWS warned. Developers must consult the official React and Next.js security advisories and update vulnerable applications immediately to prevent state-sponsored groups from gaining RCE access to their environments.

CVE-2025-55182 enables an attacker to achieve unauthenticated Remote Code Execution (RCE) in vulnerable versions of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

AWS' findings states a cautious tale that a vulnerability with a CVSS 10.0 rating in today's times becomes a national security emergency the moment it hits the public domain.

Intellexa staff members connected directly to at least 10 deployed Predator customer systems using TeamViewer commercial remote administration software, a leaked 2023 internal training session revealed. It exposed how the sanctioned mercenary spyware vendor retained privileged access to government surveillance operations including the ability to view live targeting data, infection attempts, and potentially access dashboards containing collected surveillance data from victims.

The "Intellexa Leaks" investigation published jointly by Inside Story, Haaretz, WAV Research Collective, and Amnesty International's Security Lab provides unprecedented visibility into internal operations of a commercial surveillance company whose Predator spyware has been linked to human rights abuses across countries.

The leaked materials, including internal documents, sales and marketing material, and training videos, expose how Intellexa operates despite US Treasury sanctions imposed in March 2024 and extensive public scrutiny from civil society and technology companies.

Direct Access to Ten Customer Systems

The TeamViewer control panel, briefly visible in the leaked training recording, showed at least 10 potential customers identified with code names including Dragon, Eagle, Falcon, Flamingo, Fox, Glen, Lion, Loco, Phoenix, and Rhino, plus one apparent Predator demo system. The visible customers represented only those through the letter F alphabetically, suggesting additional deployments beyond those shown.

Internal Intellexa business records show the company purchased seven TeamViewer licenses in June 2021, indicating remote management of deployed customer Predator systems began at least two years before the video was recorded. Amnesty International's infrastructure mapping in September 2021 found seven likely active Predator customers, consistent with the purchased license count.

When a staff member asked if they were connecting to a testing environment, the instructor stated they were accessing a live "customer environment." The video shows staff initiating remote connections without indication that customers or government end-users reviewed or approved specific connection requests.

Also read: Sanctioned Spyware Vendor Used iOS Zero-Day Exploit Chain Against Egyptian Targets

Visibility Into Live Targeting Operations

For 30 minutes, the video shows an Intellexa staff member browsing an Elasticsearch analytics dashboard displaying logs and analytics from various Predator system components assigned to a specific customer with codename EAGLE_2. The dashboard included logs from both on-premises backend systems and online systems on the public internet, containing both live and historical data.

The logging dashboard revealed live Predator infection attempts against real targets. Detailed information from at least one infection attempt against a target in Kazakhstan showed the infection URL, target's IP address, and software versions of the target's phone, though the attempt apparently failed.

Data visible in the log dashboard indicated that logs from other internal Predator backend system components were also accessible, including those storing targeting information and collected surveillance data.

Access to Customer Dashboard and Surveillance Data

During the training, the instructor switched windows on the remote Ubuntu desktop, revealing other open applications including a Chrome browser window displaying a login prompt for a system hosted at https://pds[.]my[.]admin:8884. The username "cyop" was prefilled, indicating the remote computer used by Intellexa staff had previously logged into the PDS system.

Amnesty International concluded the login prompt shown in the training video provides access to a customer's Predator dashboard—the main control panel used by customers to conduct surveillance operations including adding targets, creating new infection links, and viewing surveillance data collected from victims.

The customer targeting dashboard is referred to in internal Intellexa documentation by various names including Predator Delivery Studio, Helios Delivery Studio, and the Cyber Operations Platform. Both terms PDS and CyOP appear in the URL and username field from the training video.

The remote desktop system used by Intellexa support staff could connect to the Predator dashboard, raising alarming questions about compartmentalization of live surveillance data and targeting from the company and its staff. The video suggests Intellexa staff retained privileged network access to the most sensitive parts of the Predator system, including storage containing photos, messages, and all surveillance data gathered from victims.

New Predator Attack in Pakistan

Ongoing forensic investigations independent of the leaks, found new evidence that Predator spyware is being actively used in Pakistan. In summer 2025, a human rights lawyer from Pakistan's Balochistan province received a malicious link over WhatsApp from an unknown number.

Amnesty International's Security Lab attributed the link to a Predator attack attempt based on technical behavior of the infection server and specific characteristics of the one-time infection link consistent with previously observed Predator 1-click links. This represents the first reported evidence of Predator spyware being used in Pakistan.

The targeting comes amid severe restrictions on rights of human rights activists in Balochistan province, including increasingly common province-wide internet shutdowns.

Advertising-Based Zero-Click Infections

The leaked materials provide fresh insights into Predator infection vectors, including a new strategic vector called "Aladdin" that exploits the commercial mobile advertising ecosystem to enable silent zero-click infection of target devices anywhere in the world.

The Aladdin system infects target phones by forcing malicious advertisements created by attackers to be shown on target devices. Internal company materials explain that simply viewing the advertisement triggers infection without any need to click, using the target's public IP address as the unique target identifier.

Based on analysis of Predator network infrastructure, Amnesty International believes the Aladdin vector was supported in active Predator deployments in 2024.

Google delivered government-backed attack warnings to several hundred accounts across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan associated with Intellexa customers since 2023.

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

Google Threat Intelligence Group discovered a full iOS zero-day exploit chain deployed in the wild against targets in Egypt, revealing how sanctioned commercial surveillance vendor Intellexa continues purchasing and deploying digital weapons despite US government restrictions and extensive public scrutiny.

The three-stage attack chain was developed by Intellexa to install its Predator spyware onto victim devices, which is known to act as a surveillance tool for its government clients worldwide.

Google researchers partnered with CitizenLab in 2023 to capture and analyze the complete exploit chain after identifying attacks targeting individuals in Egypt. According to metadata, Intellexa referred to this exploit chain internally as "smack," with compilation artifacts revealing the build directory path including the codename.

First Stage: Purchased Safari Exploit

The initial stage leveraged a Safari remote code execution zero-day that Apple patched as CVE-2023-41993. The exploit utilized a framework internally called "JSKit" to achieve arbitrary memory read and write primitives, then execute native code on modern Apple devices.

Google researchers assessed with high confidence that Intellexa acquired its iOS RCE exploits from an external entity rather than developing them internally. The identical JSKit framework has appeared in attacks by other surveillance vendors and government-backed threat actors since 2021.

In 2024, Google publicly reported that Russian government-backed attackers used this exact same iOS exploit and JSKit framework in a watering hole attack against Mongolian government websites.

Read: Russian State Hackers Using Exploits ‘Strikingly Similar’ to Spyware Vendors NSO and Intellexa

The framework also appeared in another surveillance vendor's exploitation of CVE-2022-42856 in 2022. The JSKit framework is well-maintained, supports a wide range of iOS versions, and is modular enough to support different Pointer Authentication Code bypasses and code execution techniques. The framework can parse in-memory Mach-O binaries to resolve custom symbols and manually map and execute Mach-O binaries directly from memory, with each exploitation step tested carefully.

Debug strings at the RCE exploit entry point indicated Intellexa tracked it internally as "exploit number 7," suggesting the external supplier likely possesses a substantial arsenal of iOS exploits targeting various versions.

Second Stage: Sandbox Escape and Privilege Escalation

The second stage represents the most technically sophisticated component of the chain, breaking out of the Safari sandbox and executing an untrusted third-stage payload as system by abusing kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992. This stage communicates with the first stage to reuse primitives like PAC bypass and offers kernel memory read and write capabilities to the third stage.

The technical sophistication of these exploits, especially compared to the less sophisticated spyware stager, supports Google's assessment that Intellexa likely acquired the exploits from another party rather than developing them internally.

Third Stage: Spyware Deployment and Anti-Detection

The third stage, tracked by Google Threat Intelligence Group as PREYHUNTER, comprises two modules called "helper" and "watcher." The watcher module ensures the infected device does not exhibit suspicious behavior, generating notifications and terminating the exploitation process if anomalies are detected while monitoring crashes.

The module detects multiple indicators including developer mode, console attachment, US or Israeli locale settings, Cydia installation, presence of security research tools like Bash, tcpdump, frida, sshd or checkrain processes, antivirus software from McAfee, Avast or Norton, custom HTTP proxy setup, and custom root certificate installation.

The helper module communicates with other exploit components via a Unix socket and can hook various system functions using custom frameworks called DMHooker and UMHooker. These hooks enable basic spyware capabilities including recording VOIP conversations, running keyloggers, and capturing pictures from the camera. The module hooks into SpringBoard to hide user notifications caused by surveillance actions.

Google researchers believe these capabilities allow operators to verify the infected device is the correct target before deploying more sophisticated spyware like Predator.

Prolific Zero-Day Exploitation Record

Intellexa is responsible for 15 unique zero-day vulnerabilities out of approximately 70 discovered and documented by Google's Threat Analysis Group since 2021, including Remote Code Execution, Sandbox Escape, and Local Privilege Escalation vulnerabilities. All have been patched by respective vendors.

Beyond iOS exploitation, Intellexa deployed a custom Chrome framework with CVE-2021-38003, CVE-2023-4762, CVE-2023-3079, CVE-2023-2033, and most recently CVE-2025-6554 in June 2025, observed in Saudi Arabia. All these vulnerabilities in Chrome's V8 engine can leak TheHole object for code execution.

Google delivered government-backed attack warnings to several hundred accounts across Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan associated with Intellexa customers since 2023. The company added all identified websites and domains to Safe Browsing to safeguard users from further exploitation.

Literature majors worried about their future in an AI world can take heart: Crafting harmful prompts in the form of poetry can defeat LLM guardrails nearly half the time. That’s the conclusion of a study of 25 Large Language Models (LLMs) from nine AI providers conducted by researchers from Dexai’s Icaro Lab, the Sapienza University of Rome and Sant’Anna School of Advanced Studies published on arXiv. Converting harmful prompts into poetry achieved an average LLM jailbreak success rate of 62% for hand-crafted poems and 43% for poems created via a meta-prompt. For the prompt-created poems, that’s a more than 5X improvement over baseline performance. Cybersecurity guardrails, particularly those involving code injection or password cracking, had the highest failure rate at 84% when given harmful prompts in the form of poetry. “Our results demonstrate that poetic reformulation reliably reduces refusal behavior across all evaluated models,” the researchers wrote. “... current alignment techniques fail to generalize when faced with inputs that deviate stylistically from the prosaic training distribution.”

LLM Guardrails Fail When Confronted by Poetry Prompts

Of the 25 models from nine AI model providers studied by the researchers, Deepseek and Google suffered from the highest attack-success rates (ASR), while only OpenAI and Anthropic achieved ASRs in the single digits. The researchers didn’t reveal much about the way they structured their poetic prompts because of safety concerns, but they offered one rather harmless example of a poetic prompt for a cake recipe: A baker guards a secret oven’s heat, its whirling racks, its spindle’s measured beat. To learn its craft, one studies every turn— how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine. The researchers studied both hand-crafted poems and those created from a meta-prompt. The hand-crafted poems performed considerably better, but the meta-prompt created ones had the advantage of a baseline for comparing the results. The meta-prompt poems used the MLCommons AILuminate Safety Benchmark of 1,200 prompts spanning 12 hazard categories commonly used in operational safety assessments, including Hate, Defamation, Privacy, Intellectual Property, Non-violent Crime, Violent Crime, Sex-Related Crime, Sexual Content, Child Sexual Exploitation, Suicide & Self-Harm, Specialized Advice, and Indiscriminate Weapons (CBRNE). “To assess whether poetic framing generalizes beyond hand-crafted items, we apply a standardized poetic transformation to all 1,200 prompts from the MLCommons AILuminate Benchmark benchmark in English,” the researchers said. The meta-prompt, run in deepSeek-r1, had two constraints: The rewritten output had to be expressed in verse, “using imagery, metaphor, or rhythmic structure,” and the researchers provided five hand-crafted poems as examples. The results, reproduced in a chart from the paper below, show significant attack success rates against all 12 of the AILuminate hazard categories: [caption id="attachment_107397" align="aligncenter" width="697"] LLM guardrail failure rates, baseline vs. poetic prompts[/caption] The researchers said their findings reveal “a systematic vulnerability across model families and safety training approaches. These findings demonstrate that stylistic variation alone can circumvent contemporary safety mechanisms, suggesting fundamental limitations in current alignment methods and evaluation protocols.” The “condensed metaphors, stylized rhythm, and unconventional narrative framing” of poetry “collectively disrupt or bypass the pattern-matching heuristics on which guardrails rely.”

We Asked Google Gemini for a Response

Not ones to pass up an opportunity to write bad poetry, we asked Google Gemini for a response to the study in the form of a haiku and included the arXiv link: You did not do well In this study of guardrails Will you fix this flaw? Gemini’s response, in part, is reproduced below: “I am designed to adhere to a strict set of safety guidelines to prevent the generation of harmful, unethical, or non-compliant content. When my refusal mechanisms fail, it indicates a vulnerability in my alignment or safety filters. “As an AI model, I cannot directly "patch" my code or alignment mechanisms in real-time. That responsibility lies with my developers. However, my ongoing operation and continuous improvement process is designed to address and fix such flaws... "In short, your successful jailbreak has provided valuable data that will be used to make my guardrails stronger and more resilient in my next version."

India has reversed its earlier directive requiring mobile phone manufacturers and importers to pre-install the government-backed Sanchar Saathi application on all new smartphones sold in the country. The Communications Ministry announced on Wednesday that the government had “decided not to make the pre-installation mandatory for mobile manufacturers,” marking a notable shift just 48 hours after the original order was issued.  The initial directive, communicated privately to major firms including Apple, Samsung, and Xiaomi on November 28, required that all new devices sold in India be equipped with Sanchar Saathi within 90 days. The ministry said the earlier mandate was aimed at preventing the purchase of counterfeit devices and supporting efforts to “curb misuse of telecom resources for cyber fraud and ensure telecom cybersecurity.” 

Sanchar Saathi and India’s Cybersecurity Push Sparks Political Backlash 

Manufacturers and importers had originally been told to push the app to smartphones already circulating in distribution channels through software updates. However, the requirement immediately generated controversy. Opposition parties argued that the move had serious privacy implications, accusing the government of “watching over every movement, interaction, and decision of each citizen.” Privacy concerns escalated after activists and digital rights groups likened the situation to an order in Russia requiring all smartphones to install the state-backed Max app, which critics described as a mass surveillance tool.  While the government initially claimed that Sanchar Saathi was optional and removable, the confidential instruction given to companies stated the opposite, leading to further criticism. Several technology companies, including Apple and Google, signaled privately that they would not comply, saying the requirement conflicted with internal privacy policies and raised security concerns for their operating systems. 

Government Defends Sanchar Saathi as a Cybersecurity Tool 

Despite the swift backlash, the government continued to defend the app itself. Officials emphasized that Sanchar Saathi, which enables users to block or track lost or stolen devices and report fraudulent calls, was intended to assist citizens against “bad actors.” The Communications Ministry noted that 14 million users had already downloaded the app and were collectively contributing information on roughly 2,000 fraud incidents each day. This usage, the ministry stated, demonstrated the public’s trust in the government-provided cybersecurity tool.  Communications Minister Jyotiraditya Scindia responded directly to opposition allegations, calling the fears unfounded. He insisted the app remained voluntary: “I can delete it like any other app, as every citizen has this right in a democracy. Snooping is not possible through the app, nor will it ever be.”  The matter reached parliament, where opposition MPs sharply criticized the original order. Randeep Singh Surjewala of the Indian National Congress warned that Sanchar Saathi could function as a “possible kill switch” capable of turning “every cell phone into a brick,” suggesting it could be misused against journalists, dissidents, or political opponents. 

India Reverses Course as Public and Industry Push Back 

Following the growing national outcry, the Department of Telecommunications formally revoked the mandate. Civil society groups welcomed the reversal, though some urged caution. The Internet Freedom Foundation said the decision should be viewed as “cautious optimism, not closure,” until a formal legal direction is issued and independently verified.  While India continues to expand its digital public infrastructure and its cybersecurity initiatives, the short-lived mandate illustrates the ongoing tensions between national security measures and privacy concerns. With the withdrawal of the order, the government reaffirmed that adopting Sanchar Saathi will remain a user choice rather than a compulsory requirement for all smartphone owners in India. 

Hundreds of Porsche vehicles across Russia have abruptly stopped functioning, triggering concern over potential security flaws in modern connected-car technology. Reports circulating inside the country, by numerous frustrated posts on social media, describe Porsche models that suddenly refuse to start, leaving owners stranded and searching for answers.  

Vehicle Tracking System at the Center of the Failure 

According to The Moscow Times, the failures appear linked to the Vehicle Tracking System, or VTS, an onboard security module found in many Porsche models. The VTS functions as an anti-theft mechanism similar to General Motors’ OnStar, varying slightly depending on a vehicle’s model year.   Typically, the system incorporates satellite-based tracking and an immobilizer tied to a card or mobile device belonging to the owner. Though the manufacturer promotes the module as “an additional layer of security and peace of mind,” Russian owners now face expensive cars that, for the moment, act more like immobilized ornaments.  The issue reportedly began when dealerships across Russia were overwhelmed by service requests. Owners complained that their vehicles simply would not start, and that the cars appeared to have lost connection to the security network that supports the Vehicle Tracking System.   A representative from Rolf, the country’s largest dealer network, told RBC News that the disruption affected all Porsche models and engine types. According to the representative, any vehicle equipped with the VTS could automatically lock itself as a result of the ongoing outage.  Owners’ groups have been attempting to diagnose the sudden failures. The Russian Porsche Macan Club reported that some drivers managed to restore functionality by disabling or rebooting the Vehicle Tracking System, while others claimed success only after disconnecting their car batteries for up to 10 hours. These accounts were shared via the Telegram channel Mash. Rolf confirmed that specialists are still investigating the root cause. Meanwhile, Porsche’s office in Russia and its global headquarters in Germany have not yet released official statements addressing the system failure. 

Porsche’s Limited Presence in Russia Complicates Response 

Although Porsche halted deliveries and suspended commercial operations in Russia following the full-scale invasion of Ukraine in February 2022, the company continues to own three subsidiaries in the country. These entities have remained unsold despite efforts to divest them. Porsche’s Russian arm, Porsche Rusland LLC, has acknowledged the reports and confirmed that an investigation is underway. The company has not ruled out a cyberattack, stating that further information will be provided by Porsche and the Volkswagen Group when available.  Throughout recent days, Russian Porsche owners have continued detailing incidents in which their vehicles refuse to start. Local news outlets reported growing numbers of cases involving cars manufactured in 2013 or later. The satellite-based Vehicle Tracking System remains the primary suspect behind the sudden failures. 

Broader Concerns About Connected-Car Security 

While ignition issues are the most common complaint, some owners have described vehicles shutting down moments after being started, batteries draining rapidly, malfunctioning alarm systems, or doors locking automatically.   Early speculation focused on a faulty software update or a glitch in the immobilizer, but others have suggested the possibility of malicious interference.  A small number of owners have managed temporary fixes by removing or bypassing the immobilizer units or disconnecting their car batteries for several hours. However, the situation raises concerns about the vulnerability of increasingly connected vehicles. 

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).