The market for initial access brokers has expanded rapidly over the past two years, creating a system that allows advanced threat actors to outsource the early stages of an intrusion, according to new research from Check Point. The report says this growth has made it easier for both nation-state groups and criminal actors to breach a larger number of targets.  Check Point notes that the rise of the IAB economy coincides with the growing use of cyberspace by governments as a tool for projecting power. The firm is urging policymakers and businesses to strengthen identity security, secure software supply chains and improve the resilience of operational technology systems.  “Once considered peripheral players, IABs have become a critical node in the cyber-criminal supply chain, lowering barriers to entry for sophisticated operations and enabling rapid campaign scaling,” Check Point said.  By paying IABs to handle initial access at scale, threat actors can move faster and avoid the risks associated with the early stages of an attack. According to the report, “state-backed groups and sophisticated criminal actors can reduce operational risk, accelerate execution timelines, and scale their campaigns across dozens of targets simultaneously.”  This growing reliance on brokers also complicates attribution. When an IAB is involved, IT teams and investigators often struggle to determine whether an attack was carried out by a government-backed group or by a criminal operation.  For this reason, Check Point says that “IAB activity is no longer a peripheral criminal phenomenon but a force multiplier in the broader offensive ecosystem, one that directly supports espionage, coercive operations, and potential disruption of U.S. government and critical infrastructure networks.”  The report also highlights a sharp rise in IAB activity targeting essential sectors. Healthcare saw nearly 600 percent more IAB-related attacks in 2024 compared with 2023. Government, education and transportation networks were also significantly affected.  Check Point says these increases reflect both higher demand from adversaries for access to sensitive environments and the growing professionalisation of the IAB marketplace, where access to critical systems is treated as a commodity.  The research links this broader trend to rising geopolitical tensions and the changing role of nation-state hacking. “Cyber operations have evolved from opportunistic disruptions and intelligence-gathering into deliberate, coordinated campaigns designed to achieve political, economic, and strategic outcomes,” the report says.  According to Check Point, the line between geopolitics and cyber activity has largely disappeared. State-aligned groups are using digital operations to shape crises, signal intent and impose costs on rivals, often below the threshold of open conflict.  The firm notes that spikes in geopolitical risk are closely followed by spikes in targeted cyberattacks against U.S. government systems. “Cybersecurity is no longer just a technical issue; it is a strategic imperative,” Check Point said. The report argues that resilience, deterrence and rapid recovery must now be treated as national security priorities on the same level as traditional defence planning.

  Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections. Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy. Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs. Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique. Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin. She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have." Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools. According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources." To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable. Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints. Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection. She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there." Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains. Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well. Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe. Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.

Retailers rely heavily on the year-end shopping season, but it also happens to be the period when online threats rise faster than most organizations can respond. During the rush, digital systems handle far more traffic than usual, and internal teams operate under tighter timelines. This combination creates a perfect opening for attackers who intentionally prepare their campaigns weeks in advance and deploy automated tools when stores are at their busiest. Security analysts consistently report that fraudulent bot traffic, password-testing attempts, and customer account intrusions grow sharply during the weeks surrounding Black Friday, festive sales, and year-end shopping events. Attackers time their operations carefully because the chance of slipping through undetected is higher when systems are strained and retailers are focused on maintaining performance rather than investigating anomalies. A critical reason criminals favor this season is the widespread reuse of passwords. Large collections of leaked usernames and passwords circulate on criminal forums, and attackers use automated software to test these combinations across retail login pages. These tools can attempt thousands of logins per minute. When one match succeeds, the attacker gains access to stored payment information, saved addresses, shopping histories, loyalty points, and in some cases stored tokenized payment methods. All of these can be exploited immediately, which makes the attack both low-effort and highly profitable. Another layer of risk arises from the credentials of external partners. Many retailers depend on vendors for services ranging from maintenance to inventory support, which means third-party accounts often hold access to internal systems. Past retail breaches have shown that attackers frequently begin their intrusion not through the company itself but through a partner whose login rights were not secured with strong authentication or strict access controls. This amplifies the impact far beyond a single compromised account, highlighting the need for retailers to treat vendor and contractor credentials with the same seriousness as internal workforce accounts. Balancing security with customer experience becomes especially challenging during peak seasons. Retailers cannot introduce so much friction that shoppers abandon their carts, yet they also cannot ignore the fact that most account takeovers begin with weak, reused, or compromised passwords. Modern authentication frameworks recommend focusing on password length, screening new passwords against known breach data, and reducing reliance on outdated complexity rules that frustrate users without meaningfully improving security. Adaptive multi-factor authentication is viewed as the most practical solution. It triggers an additional verification step only when something unusual is detected, such as a login from an unfamiliar device, a significant change to account settings, or a suspicious location. This approach strengthens security without slowing down legitimate customers. Internal systems require equal attention. Administrative dashboards, point-of-sale backends, vendor portals, and remote-access platforms usually hold higher levels of authority, which means they must follow a stricter standard. Mandatory MFA, centralized identity management, unique employee credentials, and secure vaulting of privileged passwords significantly reduce the blast radius of any single compromised account. Holiday preparedness also requires a layered approach to blocking automated abuse. Retailers can deploy tools that differentiate real human activity from bots by studying device behavior, interaction patterns, and risk signals. Rate limits, behavioral monitoring for credential stuffing, and intelligence-based blocking of known malicious sources help limit abuse without overwhelming the customer experience. Invisible or background challenge mechanisms are often more effective than traditional CAPTCHAs, which can hinder sales during peak traffic. A final but critical aspect of resilience is operational continuity. Authentication providers, SMS delivery routes, and verification systems can fail under heavy demand, and outages during peak shopping hours can have direct financial consequences. Retailers should run rehearsals before the season begins, including testing failover paths for sign-in systems, defining emergency access methods that are short-lived and fully auditable, and ensuring there is a manual verification process that stores can rely on if digital systems lag or fail. Running load tests and tabletop exercises helps confirm that backup procedures will hold under real stress. Strengthening password policies and monitoring for compromised credentials also plays a vital role. Tools that enforce password screenings against known breach databases, encourage passphrases, restrict predictable patterns, and integrate directly with directory services allow retailers to apply consistent controls across both customer-facing and internal systems. Telemetry from these tools can reveal early signs of suspicious behavior, providing opportunities to intervene before attackers escalate their actions. With attackers preparing earlier each year and using highly automated methods, retailers must enter the holiday season with defenses that are both proactive and adaptable. By tightening access controls, reinforcing authentication, preparing for system failures, and using layered detection methods, retailers can significantly reduce the likelihood of account takeovers and fraud, all while maintaining smooth and reliable shopping experiences for their customers.

 A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow attackers to gain access to internal systems along with sensitive data by taking advantage of how Tika processes certain PDF files.  Apache Tika is an open-source, highly-used framework for extracting text, metadata, and structured content from a wide array of file formats. It is commonly used within enterprise workflows including compliance systems, document ingestion pipelines, Elasticsearch and Apache Solr indexing, search engines, and automated content scanning processes. Because of its broad use, any severe issue within the platform has wide-ranging consequences.   According to the advisory for the project, the vulnerability exists in several modules, such as tika-core, tika-parsers, and the tika-pdf-module, on different versions, from 1.13 to 3.2.1. The issue allows an attacker to embed malicious XFA -- a technology that enables XML Forms Architecture -- content inside PDF files. Upon processing, Tika may execute unwanted calls to embedded external XML entities, thus providing a way to fetch restricted files or gain access to internal resources.   The advisory points out that CVE-2025-66516 concerns an issue that was previously disclosed as CVE-2025-54988, but its scope is considerably broader. Whereas the initial advisory indicated the bug was limited to the PDF parser, subsequent analysis indicated that the root cause of the bug-and therefore the fix-represented in tika-core, not solely its parser component. Consequently, any organization that has patched only the parser without updating tika-core to version 3.2.2 or newer remains vulnerable.  Researchers also provided some clarification to note that earlier 1.x releases contained the vulnerable PDF parser in the tika-parsers module, so the number of affected systems is higher than initial reporting indicated.  XXE vulnerabilities arise when software processes XML input without required restrictions, permitting an attacker to use external entities (these are references that can point to either remote URLs or local files). Successfully exploited, this can lead to unauthorized access, SSRF, disclosure of confidential files, or even an escalation of this attack chain into broader compromise.  Project maintainers strongly recommend immediate updates for all deployments. As no temporary configuration workaround has been confirmed, one can only install patched versions.

 FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024.  FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild.  The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds. Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos.  The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.

New Android malware found Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild.  About the malware  FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked. According to Intel 471, the malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud." Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers. Attack tactic  After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above. According to Intel 471, "During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot." After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an external server.  Malware capabilities  FvncBot also triggers a text mode to analyze the device screen layout and content even in cases where an app doesn't allow screenshots by setting the FLAG_SECURE option.  Experts don't yet know how FvncBot is getting widespread, but Android banking trojans leverage third-party app stores and SMS phishing as a distribution vector.  According to Intel 471, "Android's accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen's display."  The firm added that the sample was built to "target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions." Beyond the immediate threat to banking and cryptocurrency users, the emergence of FvncBot, SeedSnatcher, and the upgraded ClayRat underscores a troubling evolution in mobile-malware design: an increasing shift toward “full-device takeover” rather than mere credential theft. By exploiting legitimate features, such as Android’s accessibility services, screen-streaming APIs, and overlay permissions, these trojans can invisibly hijack almost every function of a smartphone: logging keystrokes, intercepting SMS-delivered 2FA codes, capturing screen contents even when apps try to block screenshots, and executing arbitrary commands as though the real user were interacting with the device.  This marks a new class of threat in which a compromised phone becomes a proxy tool for remote attackers: they don’t just steal data, they can impersonate the user, conduct fraudulent transactions, or monitor every digital activity. Hence, users worldwide, not only in Poland or crypto-heavy regions, must remain vigilant: the architecture these threats use is platform-wide, not region-specific, and could easily be repurposed for broader global campaigns.

  The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries.  Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity.  During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375.  A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future.  ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle.  The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched.  The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore.  During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended.  Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways. A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key.  As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away.  According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion.  An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks.  Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns.  Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service.  By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events.  Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few.  Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish.  As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored.  Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded.  As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows.  Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots.  Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed.  Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets.  In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.

Cybersecurity researchers have sounded the alarm about a new malware campaign called JS#SMUGGLER, which is using hacked websites to distribute the NetSupport remote access trojan (RAT). Securonix analysed the attack method, describing it as a multi-stage sequence designed to evade detection and grant attackers full control of infected systems.  The chain begins with an obfuscated JavaScript loader that is injected into a compromised website. It then progresses to an HTML Application (HTA) file that launches encrypted PowerShell stagers through the Windows tool mshta.exe, followed by a PowerShell payload that downloads the main RAT.  According to researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, “NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft and proxy capabilities.”  There is currently no clear link to a specific threat group or country. The campaign targets enterprise users by redirecting them through infected websites, indicating broad targeting rather than a focused sector-specific effort.  Securonix said the malware uses hidden iframes, scrambled JavaScript loaders and layered script execution. When a victim visits a compromised website, the injected script checks the device type. Mobile users are redirected to a full-screen iframe, while desktop users are sent to a second-stage malicious script.  A tracking mechanism makes the payload fire only during the first visit to help avoid detection. The first-stage script builds the URL for the HTA payload at runtime and launches it using mshta.exe. The HTA file then runs a temporary PowerShell stager in memory. It disables visible window elements and removes itself afterwards to reduce digital traces.  Once executed, the PowerShell payload downloads NetSupport RAT, giving the attacker remote control of the infected machine. Securonix called the campaign evidence of “a sophisticated and actively maintained malware framework.”  The company advised defenders to use strong content security policies, script monitoring, PowerShell logging and restrictions on mshta.exe to detect similar activity.  Additional findings show the JavaScript dropper also writes two more files to the TEMP directory:  * svchost.js, which installs a .NET loader known as DarkTortilla  * adobe.js, which drops PHat.jar, an MSI installer with similar behavior  In the attack, the loader decrypts and runs an embedded DLL for the Formbook malware, a keylogger and an information stealer. Persistence is achieved by placing the payload in the Windows startup folder or adding entries to the Windows Registry. Securonix noted, “The threat actors combine social engineering, heavy script obfuscation and advanced .NET evasion techniques to successfully compromise targets.”  The researchers added that reflective loading allows the final malware to run without storing it as a traditional file, which makes investigation more difficult. The disclosure follows recent research from the same firm about CHAMELEON#NET, another multi-stage malware campaign used to deliver Formbook via phishing messages. That campaign targeted the National Social Security sector and used fake webmail login pages and compressed archives to lure victims.

  Meta has started taking down accounts belonging to Australians under 16 on Instagram, Facebook and Threads, beginning a week before Australia’s new age-restriction law comes into force. The company recently alerted users it believes are between 13 and 15 that their profiles would soon be shut down, and the rollout has now begun. Current estimates suggest that a large number of accounts will be affected, including roughly hundreds of thousands across Meta’s platforms. Since Threads operates through Instagram credentials, any underage Instagram account will also lose access to Threads. Australia’s new policy, which becomes fully active on 10 December, prevents anyone under 16 from holding an account on major social media sites. This law is the first of its kind globally. Platforms that fail to take meaningful action can face penalties reaching up to 49.5 million Australian dollars. The responsibility to monitor and enforce this age limit rests with the companies, not parents or children. A Meta spokesperson explained that following the new rules will require ongoing adjustments, as compliance involves several layers of technology and review. The company has argued that the government should shift age verification to app stores, where users could verify their age once when downloading an app. Meta claims this would reduce the need for children to repeatedly confirm their age across multiple platforms and may better protect privacy. Before their accounts are removed, underage users can download and store their photos, videos and messages. Those who believe Meta has made an incorrect assessment can request a review and prove their age by submitting government identification or a short video-based verification. The new law affects a wide list of services, including Facebook, Instagram, Snapchat, TikTok, Threads, YouTube, X, Reddit, Twitch and Kick. However, platforms designed for younger audiences or tools used primarily for education, such as YouTube Kids, Google Classroom and messaging apps like WhatsApp, are not included. Authorities have also been examining whether children are shifting to lesser-known apps, and companies behind emerging platforms like Lemon8 and Yope have already begun evaluating whether they fall under the new rules. Government officials have stated that the goal is to reduce children’s exposure to harmful online material, which includes violent content, misogynistic messages, eating disorder promotion, suicide-related material and grooming attempts. A national study reported that the vast majority of children aged 10 to 15 use social media, with many encountering unsafe or damaging content. Critics, however, warn that age verification tools may misidentify users, create privacy risks or fail to stop determined teenagers from using alternative accounts. Others argue that removing teens from regulated platforms might push them toward unmonitored apps, reducing online safety rather than improving it. Australian authorities expect challenges in the early weeks of implementation but maintain that the long-term goal is to reduce risks for the youngest generation of online users.

Your organization can now read your texts Microsoft stirred controversy when it revealed a Teams update that could tell your organization when you're not at work. Google did the same. Say goodbye to end-to-end encryption. With this new RCS and SMS Android update, your RCS and SMS texts are no longer private.  According to Android Authority, "Google is rolling out Android RCS Archival on Pixel (and other Android) phones, allowing employers to intercept and archive RCS chats on work-managed devices. In simpler terms, your employer will now be able to read your RCS chats in Google Messages despite end-to-end encryption.” Only for organizational devices  This is only applicable to work-managed devices and doesn't impact personal devices. In regulated industries, it will only add RCS archiving to existing SMS archiving. In an organization, however, texting is different than emailing. In the former, employees sometimes share about their non-work life. End-to-end encryptions keep these conversations safe, but this will no longer be the case. The end-to-end question  There is alot of misunderstanding around end-to-end encryption. It protects messages when they are being sent, but once they are on your device, they are decrypted and no longer safe.  According to Google, this is "a dependable, Android-supported solution for message archival, which is also backwards compatible with SMS and MMS messages as well. Employees will see a clear notification on their device whenever the archival feature is active.” What will change? With this update, getting a phone at work is no longer as good as it seems. Employees have always been insecure about the risks in over-sharing on email, as it is easy to spy. But not texts.  The update will make things different. According to Google, “this new capability, available on Google Pixel and other compatible Android Enterprise devices gives your employees all the benefits of RCS — like typing indicators, read receipts, and end-to-end encryption between Android devices — while ensuring your organization meets its regulatory requirements.” Promoting organizational surveillance  Because of organizational surveillance, employees at times turn to shadow IT systems such as Whatsapp and Signal to communicate with colleagues. The new Google update will only make things worse.  “Earlier,” Google said, ““employers had to block the use of RCS entirely to meet these compliance requirements; this update simply allows organizations to support modern messaging — giving employees messaging benefits like high-quality media sharing and typing indicators — while maintaining the same compliance standards that already apply to SMS messaging."

 More than 30 security weaknesses in various AI-powered IDEs have recently been uncovered, raising concerns as to how emerging automated development tools might unintentionally expose sensitive data or enable remote code execution. A collective set of vulnerabilities, referred to as IDEsaster, was termed by security researcher Ari Marzouk (MaccariTA), who found that such popular tools and extensions as Cursor, Windsurf, Zed.dev, Roo Code, GitHub Copilot, Claude Code, and others were vulnerable to attack chains leveraging prompt injection and built-in functionalities of the IDEs. At least 24 of them have already received a CVE identifier, which speaks to their criticality.  However, the most surprising takeaway, according to Marzouk, is how consistently the same attack patterns could be replicated across every AI IDE they examined. Most AI-assisted coding platforms, the researcher said, don't consider the underlying IDE tools within their security boundaries but rather treat long-standing features as inherently safe. But once autonomous AI agents can trigger them without user approval, the same trusted functions can be repurposed for leaking data or executing malicious commands.  Generally, the core of each exploit chain starts with prompt injection techniques that allow an attacker to redirect the large language model's context and behavior. Once the context is compromised, an AI agent might automatically execute instructions, such as reading files, modifying configuration settings, or writing new data, without the explicit consent of the user. Various documented cases showed how these capabilities could eventually lead to sensitive information disclosure or full remote code execution on a developer's system. Some vulnerabilities relied on workspaces being configured for automatic approval of file writes; thus, in practice, an attacker influencing a prompt could trigger code-altering actions without any human interaction.  Researchers also pointed out that prompt injection vectors may be obfuscated in non-obvious ways, such as invisible Unicode characters, poisoned context originating from Model Context Protocol servers, or malicious file references added by developers who may not suspect a thing. Wider concerns emerged when new weaknesses were identified in widely deployed AI development tools from major companies including OpenAI, Google, and GitHub.  As autonomous coding agents see continued adoption in the enterprise, experts warn these findings demonstrate how AI tools significantly expand the attack surface of development workflows. Rein Daelman, a researcher at Aikido, said any repository leveraging AI for automation tasks-from pull request labeling to code recommendations-may be vulnerable to compromise, data theft, or supply chain manipulation. Marzouk added that the industry needs to adopt what he calls Secure for AI, meaning systems are designed with intentionality to resist the emerging risks tied to AI-powered automation, rather than predicated on software security assumptions.

 The Indian Ministry of Home Affairs has revealed that seven key airports in the country were hit by GPS spoofing cyber attacks in November 2025, Union Civil Aviation Minister Ram MohanNaidu said. The airports affected are the Indira Gandhi International Airport in Delhi, the Chhatrapati Shivaji Maharaj International Airport in Mumbai, and those in Kolkata, Hyderabad, Bengaluru, Chennai and Amritsar.  Nature of the attack  GPS spoofing, which consists of sending fake satellite signals to navigation receivers and makes the aircraft systems believe that it is at a different location and altitude. A number of flights to Runway 10 at the Delhi airport reported being misled by false GPS signals in the midst of GPS approach routines. A number of aircraft suffered navigation systems falsely displaying their locations as far as 60 nautical miles from their actual position, causing some to divert to nearby cities.  While highlighting the gravity of these attacks, Minister Naidu said, that “no incidents of flight operations being interfered or flights being delayed on account of GPS spoofing were reported.” The aviation regulators were forced to invoke contingency procedures for GPS-spoofed flights, which did not affect scheduled operations on other runways, equipped with more traditional navigational aids. The seamless operations were attributed to India’s strong backup systems and safety procedures in place. In addition, India operates a Minimum Operating Network (MON) of ground-based navigation and surveillance systems as a backup in the event of disruption of space-based systems. Such a fail-safe model, applied all over the world among satellite navigation and communication providers, ensures the continued availability of traditional navigation means over the skies, when the reception of signals from satellites is lost. The use of the MON enable the aviation community to keep the skies open even in the face of sophisticated cyber attacks on GPS.  Government response and investigation  Earlier, the DGCA had issued advisories on GNSS signal jamming and spoofing in the airspace on 24 November 2023, and subsequently Standard Operating Procedure (SOP) guidelines on 10 November 2025 for reporting in real-time GPS jamming and spoofing incidents. Post the recent attacks, Airports Authority of India (AAI) has approached Wireless Monitoring Organization (WMO) to trace the source of interference/spoofing. During a high-level meeting, the WMO was directed to mobilize additional resources to pinpoint the spoofing source based on approximate location details shared by DGCA and AAI.  Minister Naidu believes that the threats are global, and now more frequently in the form of ransomware and malware attacks targeting aviation. As a result, AAI is rolling out state-of-the-art cybersecurity solutions for IT networks and infrastructure in lieu with the directions from the National Critical Information Infrastructure Protection Centre (NCIIPC) under the Ministry of Home Affairs and the Indian Computer Emergency Response Team (CERT-In). India is also actively engaging in global platforms for learning and sharing of most recent best practices, tools, and techniques to enable real time implementation of security measures.

  A human rights attorney from Pakistan’s Balochistan region was recently sent a suspicious WhatsApp link from an unidentified number—an incident that Amnesty International says marks the first known targeting of a civil society actor in the country with Intellexa’s Predator spyware. According to Amnesty, the URL displayed clear indicators of a "Predator attack attempt based on the technical behaviour of the infection server, and on specific characteristics of the one-time infection link which were consistent with previously observed Predator 1-click links." Pakistan has rejected the accusations, stating "there is not an iota of truth in it." These revelations stem from a collaborative investigation involving Haaretz (Israel), Inside Story (Greece), and Inside IT (Switzerland). The findings are based on leaked company documents, internal communications, marketing materials, and training videos. Intellexa, known for developing the mercenary spyware Predator, offers an advanced surveillance tool similar to NSO Group’s Pegasus. The product can clandestinely extract sensitive data from Android and iOS devices. Internal leaks indicate that Predator has also been branded under names such as Helios, Nova, Green Arrow, and Red Arrow. To deploy the spyware, attackers commonly rely on malicious links sent through communication platforms. These links exploit undisclosed vulnerabilities through zero-click or one-click methods. If the intended target taps the link, a browser exploit in Google Chrome (Android) or Apple Safari (iOS) initiates access to the device, enabling the download of the main payload. Google’s Threat Intelligence Group (GTIG) linked Intellexa to multiple zero-day exploits—either developed internally or purchased externally—including: * CVE-2025-48543 – Android Runtime UAF * CVE-2025-6554 – V8 Type Confusion (Chrome) * CVE-2023-41993 – WebKit JIT RCE * CVE-2023-41992 – Kernel IPC UAF * CVE-2023-41991 – Certificate validation bypass (Apple Security) * CVE-2024-4610 – Use-after-free in Arm GPU drivers Several other historic V8 and Chrome vulnerabilities In 2023, an iOS exploit chain deployed against individuals in Egypt combined CVE-2023-41993 with a framework called JSKit to run native code. GTIG noted the same exploit was used in a watering-hole attack linked to Russian state-backed hackers targeting Mongolian government websites, implying possible third-party supply of the exploits. Google explained that "the JSKit framework is well maintained, supports a wide range of iOS versions, and is modular enough to support different Pointer Authentication Code (PAC) bypasses and code execution techniques." It can manually load and run Mach-O binaries directly from memory. Once CVE-2023-41993 is abused, the attack escalates through CVE-2023-41991 and CVE-2023-41992 to escape Safari’s sandbox. This paves the way for a third-stage module known as PREYHUNTER. PREYHUNTER consists of: * Watcher: Monitors device behavior, ensuring the exploit remains undetected * Helper: Interfaces via a Unix socket to deploy hooks for keylogging, VoIP recording, and camera access Intellexa also maintains a dedicated framework for exploiting Chrome’s V8 vulnerabilities, including CVE-2021-38003, CVE-2023-2033, CVE-2023-3079, CVE-2023-4762, and CVE-2025-6554, the last of which was reportedly used in Saudi Arabia in June 2025. Once active on a device, Predator can extract data from messaging apps, calls, emails, location records, passwords, and screenshots. It can also activate the microphone for ambient audio recording and capture photos using the camera. All collected data is sent to servers inside the customer’s country. Intellexa and several executives were sanctioned by the United States last year for creating and distributing the spyware, which authorities said undermines civil rights. Yet Predator infrastructure remains active in over a dozen countries, primarily in Africa, according to a June 2025 report by Recorded Future’s Insikt Group. One of the most alarming disclosures is that Intellexa employees allegedly retained the ability to remotely access Predator systems hosted by its clients—including government installations—via TeamViewer. Amnesty's Jurre van Bergen warned: "The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs – allowing company staff to see details of surveillance operations and targeted individuals raises questions about its own human rights due diligence processes." He added that if a spyware vendor is directly involved in operations, "it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware." The report also outlines how Intellexa uses several delivery techniques that do not require targets to click malicious links. These include tools such as Triton (disclosed in 2023), Thor, and Oberon, along with remote delivery strategies that rely on internet or mobile networks. Its three major strategic vectors include: * Mars and Jupiter – Network injection tools requiring cooperation between ISPs or mobile operators to perform adversary-in-the-middle (AitM) attacks using unencrypted HTTP traffic or intercepted domestic HTTPS traffic. * Aladdin – A zero-click technique that exploits mobile advertising by delivering a malicious ad that triggers infection automatically. Amnesty noted: "The Aladdin system infects the target's phone by forcing a malicious advertisement created by the attacker to be shown on the target's phone." Google confirmed it collaborated with partners to identify companies linked to Intellexa that operated within the ad ecosystem and to shut down those accounts. Recorded Future separately identified two companies—Pulse Advertise and MorningStar TEC—suspected of managing ads tied to the Aladdin vector. The same report observed ongoing Predator infrastructure communication associated with customers in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Meanwhile, communication from Predator systems in Botswana, Trinidad and Tobago, and Egypt stopped around mid-2025. Recorded Future noted this could mean those governments ended their use of Predator—or alternatively shifted to new servers or infrastructure.

  Cybercriminals have once again revived an old trick—but with a more convincing disguise. This time, scammers are exploiting the name of the official RTO e-challan system to deceive smartphone users. Over the past year, malicious APK files have been circulated in the form of fake wedding invitations, PM-Kisan alerts, courier updates, and KYC notices. Now, the same method is being used to send fraudulent “RTO Challan” messages on WhatsApp, luring victims into installing powerful spyware. The fraud begins with a seemingly urgent WhatsApp alert claiming that a traffic challan has been issued against the recipient’s vehicle. The message includes a link or an attachment labelled as an e-challan file. Many users, acting out of fear or confusion, click the file—unknowingly giving criminals full access to their device. Victims typically receive a message saying: “An e-challan has been issued for your vehicle. Download the file below to view details.” The attachment is an APK file with names like RTO_Challan.apk or E-Challan_Details.apk. Once downloaded, the file installs automatically on Android phones and begins functioning as spyware. After installation, the malware: * Provides hackers complete remote access to the device * Captures banking app information, OTPs, contacts, and personal files * Automatically sends the same malicious APK to all WhatsApp contacts * Enables criminals to execute online banking transactions undetected Cyber experts warn that this form of malware is extremely dangerous because no further interaction is required—the victim’s phone essentially becomes a control panel for the fraudster. APK (Android Package Kit) files are standard installation packages for Android apps. While apps on the Google Play Store undergo safety checks, APKs sent through WhatsApp, SMS, email, or Telegram do not. Many users mistake APK files for regular documents or images and tap them without realizing the risk. This lack of awareness makes such scams highly effective. How the scam could evolve further Scammers typically exploit themes that trigger fear, urgency, or excitement. Experts believe similar APK-based attacks may soon appear in the form of: * PM-Kisan installment notifications * Overdue electricity bill alerts * Passport or courier delivery updates * Lottery or prize winnings * Bank KYC reminders * Government scheme eligibility messages While the topics may change, the underlying tactic remains the same: tricking users into downloading malware via a fake APK.7 essential safety steps * Never download APK files received through WhatsApp—even from known contacts. * Verify real traffic challans only through: echallan.parivahan.gov.in * Remember: wedding invitations, PDFs, photos, and government documents never come in .apk format. * If a known person sends an APK, call to confirm—it may be sent from a hacked account. * Disable Install apps from unknown sources in your device settings. * If you downloaded a suspicious APK: * Turn off mobile data/Wi-Fi immediately * Uninstall the unknown app * Change all banking passwords and PINs * In case of financial fraud, call 1930 (National Cyber Fraud Helpline) without delay. As digital transactions become more common, cyber risks continue to grow. The ongoing fake RTO challan scam is a strong reminder to stay vigilant—check every link, scrutinize every file, and never trust unsolicited messages. Most importantly, ensure senior citizens and less tech-savvy users are informed, as they are the most vulnerable. Just one infected APK is enough to compromise your phone and drain your bank account in minutes.

  Among the developments that have disturbed security teams around the world, threat-intelligence analysts have detected a sudden and unusually coordinated wave of probing of Palo Alto Networks' GlobalProtect remote access infrastructure. This activity appears to be influenced by the presence of well-known malicious fingerprints and well-worn attack mechanisms. It has been revealed in new reports from GreyNoise that the surge began on November 14 and escalated sharply until early December, culminating in more than 7,000 unique IP addresses trying to log into GlobalProtect portals through the firm's Global Observation Grid monitored by GlobalProtect. This influx of hostile activity has grown to the highest level in 90 days and has prompted fresh concerns among those defending the computer system from attempts to hack themselves, who are watching for signs that such reconnaissance is likely to lead to a significant breach of their system.  In general, the activity stems mostly from infrastructure that operates under the name 3xK GmbH (AS200373), which accounts for approximately 2.3 million sessions which were directed to the global-protect/login.esp endpoint used by Palo Alto's PAN-OS and GlobalProtect products. The data was reported by GreyNoise to reveal that 62 percent of the traffic was geolocated in Germany, with 15 percent being traced to Canada.  In parallel, AS208885 contributed a steady stream of probing throughout the entire network. As a result of early analysis, it is clear that this campaign requires continuity with prior malicious campaigns that targeted Palo Alto equipment, showing that recurring TCP patterns were used, repeated JA4T signatures were seen, and that infrastructure associated with known threat actors was reused.  Despite the fact that the scans were conducted mainly in the United States, Mexico, and Pakistan regions, all of them were subjected to a comparable level of pressure, which suggested a broad, opportunistic approach as opposed to a narrowly targeted campaign, and served as a stark reminder of the persistent attention adversaries pay to remote-access technologies that are widely deployed.  There has been a recent increase in the activity of this campaign, which is closely related to the pattern that was first observed between late September and mid-October, when three distinct fingerprints were detected among more than nine million nonspoofable HTTP sessions, primarily directed towards GlobalProtect portals, in an effort to track the attacks.  There is enough technical overlap between four autonomous systems that originate those earlier scans to raise early suspicion, even though they had no prior history of malicious behavior. At the end of November, however, the same signatures resurfaced from 3xK Tech GmbH’s infrastructure in a concentrated burst. This event generated about 2.3 million sessions using identical TCP and JA4t indicators, with the majority of the traffic coming from IP addresses located in Germany.  In the present, GreyNoise is highly confident that both phases of activity are associated with a single threat actor. It has now been reported that fingerprints of the attackers have reapplied on December 3, this time in probing attempts against SonicWall's SonicOS API, suggesting more than a product-specific reconnaissance campaign, but a more general reconnaissance sweep across widely deployed perimeter technologies. According to security analysts, GlobalProtect remains a high-profile target because of its deep penetration into enterprise networks and its history of high-impact vulnerabilities.  It is important to note, however, that CVE-2024-3400 is still affecting unremedied systems despite being patched in April 2024 with a 9.8 rating due to a critical command-injection flaw, CVE-2024-3400. During recent attacks, malicious actors have used pre-authentication access as a tool for enumerating endpoints, brute-forcing credentials, and deploying malware to persist by exploiting misconfigurations that allow pre-authentication access, such as exposed administrative portals and unchanged default credentials.  They have also developed custom tools modeled on well-known exploitation frameworks. Although researchers caution that no definitive attribution has been established for the current surge of activity, Mandiant has observed the same methods being used by Chinese state-related groups like UNC4841 in operations linked to those groups. A number of indicators of confirmed intrusions have included sudden spikes in UDP traffic to port 4501, followed by HTTP requests to "/global-protect/login.urd," from which attackers have harvested session tokens and gotten deeper into victim environments by harvesting session tokens. According to a Palo Alto Networks advisory dated December 5, administrators are urged to harden exposed portals with multi-factor authentication, tighten firewall restrictions, and install all outstanding patches, but noted that properly configured deployments remain resilient despite the increased scrutiny. Since then, CISA has made it clear that appropriate indicators have been added to its Catalog of Known Exploited Vulnerabilities and that federal agencies must fix any issues within 72 hours.  The latest surge in malicious attacks represents a stark reminder of how quickly opportunistic reconnaissance can escalate into compromise when foundational controls are neglected, so organizations should prepare for the possibility of follow-on attacks. Security experts have highlighted that these recent incidents serve as a warning to organizations about potential follow-on attacks. A number of security experts advise organizations to adopt a more disciplined hardening strategy rather than rely on reactive patching, which includes monitoring the attack surface continuously, checking identity policies regularly, and segmenting all remote access paths as strictly as possible.  According to analysts, defenders could also benefit from closer alignment between security operations teams and network administrators in order to keep an eye on anomalous traffic spikes or repeated fingerprint patterns and escalate them before they become operationally relevant. Researchers demonstrate the importance of sharing indicators early and widely, particularly among organizations that operate internet-facing VPN frameworks, as attackers have become increasingly adept at recycling infrastructure, tooling, and products across many different product families.  Even though GlobalProtect and similar platforms are generally secure if they are configured correctly, recent scan activity highlights a broader truth that is not obvious. In order to remain resilient to adversaries who are intent on exploiting even the slightest crack in perimeter defenses, sustained vigilance, timely remediation, and a culture of proactive security hygiene remain the most effective barriers.

 Portugal has updated its cybercrime law to offer legal protection to security researchers who probe systems in good faith and report vulnerabilities responsibly. The change creates a legal safe harbor for ethical hacking, turning what was previously classified as illegal access or data interception into a non-punishable act when strict conditions are met. The new provision appears in Article 8.o-A under the title "Acts not punishable due to public interest in cybersecurity."  It states that hacking activities aimed at finding vulnerabilities and improving cybersecurity will not lead to criminal charges if several requirements are followed. To qualify for legal protection, researchers must act only to identify weaknesses that they did not introduce and must not seek financial reward beyond normal professional compensation. They must report the issue immediately to the system owner, any relevant data controller and the Portuguese cybersecurity authority CNCS.  The law also requires that actions remain limited to what is necessary for detection. Researchers cannot disrupt services, modify data, steal information or cause damage. Personal data protected under GDPR must not be processed illegally, and banned techniques such as DDoS attacks, phishing, malware deployment and social engineering are not allowed.  Any sensitive data accessed during testing must be kept confidential and deleted within 10 days after the vulnerability is fixed. Acts carried out with the explicit consent of the system owner are also exempt from punishment, but vulnerabilities discovered during the process must still be reported to the CNCS. Cybersecurity professionals view the change as an important step toward separating responsible research from criminal activity.  The law provides clarity on what is allowed while giving ethical hackers the legal protection they have long requested. Portugal joins a growing number of countries adapting cybercrime laws to support good-faith research. Germany proposed similar protections in late 2024, and in 2022 the United States Department of Justice revised its prosecution guidelines under the Computer Fraud and Abuse Act (CFAA) to exempt responsible security testing.  These legal reforms reflect an increasing recognition that ethical hackers play a key role in helping organizations find and fix security flaws before real criminals take advantage of them. Supporters say the new rules will encourage more vulnerability reporting and strengthen global cybersecurity.

 Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public.  The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers.  The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems.  AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia.  Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware.  AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers.  Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems.  A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages.  The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix.  Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default.  Cybersecurity firms and cloud providers are urging organizations to take action immediately:  * Apply official patches for React, Next.js and related RSC frameworks. * Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel. * Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior. Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 

Cloudflare announced on Wednesday that it has detected and stopped the largest distributed denial of service (DDoS) attack ever recorded.  The attack peaked at 29.7 terabits per second and lasted 69 seconds. The company said the traffic came from a botnet-for-hire called AISURU, which has been behind several extreme DDoS incidents over the past year. Cloudflare did not reveal the name of the targeted organization.  AISURU has repeatedly targeted telecommunication companies, gaming platforms, hosting providers and financial services.  Cloudflare said it also blocked another massive attack from the same botnet that reached 14.1 billion packets per second. Security researchers estimate that AISURU is powered by one to four million infected devices across the world.  According to Cloudflare, the record-breaking event was a UDP carpet bombing attack that hit around 15,000 ports per second. The attackers randomised packet properties to get past defences, but Cloudflare’s automated systems detected and neutralised the traffic. Cloudflare has recorded 2,867 AISURU attacks since the beginning of 2025.  Out of these, 1,304 hyper volumetric attacks happened in the third quarter of this year alone. In total, the company blocked 8.3 million DDoS attacks during the same period. That number is 15 percent higher than the previous quarter and 40 percent higher than the same period last year.  So far in 2025, Cloudflare has mitigated 36.2 million DDoS attacks, and the year is not yet over. The company highlighted a rapid increase in network layer attacks, which now make up 71 percent of all recorded attacks.  Meanwhile, HTTP DDoS attacks declined in comparison. The report also shows major changes in the global DDoS landscape. The number of attacks that went above 100 million packets per second jumped by 189 percent quarter over quarter. In addition, 1,304 attacks exceeded one terabit per second.  Cloudflare noted that most attacks last for less than 10 minutes, which leaves very little time for manual intervention and can still cause long service disruptions.  The list of attack sources is dominated by Asia. Indonesia has remained the world’s biggest source of DDoS attacks for an entire year, followed by other locations such as Thailand, Bangladesh, Vietnam, India, Hong Kong and Singapore. Ecuador, Russia and Ukraine make up the remaining top ten.  Several industries have seen major increases in targeting. Attacks against the mining, minerals and metals sector rose sharply and pushed it to the 49th most attacked industry worldwide. The automotive industry experienced the largest jump and is now the sixth most attacked.  DDoS attacks targeting artificial intelligence companies rose by 347 percent in September alone. Across all sectors, information technology and services faced the most attacks. Telecommunications, gambling, gaming and internet services were also among the hardest hit.  The most attacked countries this year include China, Turkey, Germany, Brazil, the United States and Russia. Cloudflare said the scale and sophistication of current DDoS activity marks a turning point for global cybersecurity.  The company warned that many organizations are struggling to keep up with attackers who now operate with far more power and speed than ever before.

 NATO has wrapped up its annual Cyber Coalition exercise in Estonia after a week of intensive drills focused on protecting networks and critical infrastructure from advanced cyberattacks.  More than 1,300 cyber defenders joined the 2025 exercise. Participants represented 29 NATO countries, 7 partner nations, as well as Austria, Georgia, Ireland, Japan, South Korea, Switzerland, Ukraine, the European Union, industry experts, and universities.  The goal of the training was to strengthen cooperation and improve the ability to detect, deter, and respond to cyber threats that could affect military and civilian systems.  Commander Brian Caplan, the Exercise Director, said that Cyber Coalition brings countries together to learn how they would operate during a cyber crisis. He highlighted that cyber threats do not stay within borders and that sharing information is key to improving global defence.  This year’s exercise presented seven complex scenarios that mirrored real-world challenges. They included attacks on critical national infrastructure, cyber disruptions linked to space systems, and a scenario called “Ghost in the Backup,” which involved hidden malware inside sensitive data repositories.  Multiple simulated threat actors carried out coordinated digital operations against a NATO mission. The drills required participants to communicate continuously, share intelligence, and use systems such as the Virtual Cyber Incident Support Capability.  The exercise also tested the ability of teams to make difficult decisions. Participants had to identify early warning signs like delayed satellite data, irregular energy distribution logs, and unexpected power grid alerts. They were also challenged to decide when to escalate issues to civilian authorities or NATO headquarters and how to follow international law when sharing military intelligence with law enforcement.  A British officer taking part in the event said cyber warfare is no longer limited to watching computers. Participants must also track information shared by media and social networks, including sources that may be run by hostile groups. Over the years, Cyber Coalition has evolved based on new technologies, new policies, and new threats. According to Commander Caplan, the exercise helps NATO and its partners adjust together before a real crisis takes place.  Cyber defence is now a major pillar in NATO’s training efforts. Leaders say large-scale drills like Cyber Coalition are necessary as cyber threats continue to grow in both sophistication and frequency.

  A recent Android update has marked a paradigm shifting change in how text messages are handled on employer-controlled devices. This means Google has introduced a feature called Android RCS Archival, which lets organisations capture and store all RCS, SMS, and MMS communications sent through Google Messages on fully managed work phones. While the messages remain encrypted in transport, they can now be accessed on the device itself once delivered. This update is designed to help companies meet compliance and record-keeping requirements, especially in sectors that must retain communication logs for regulatory reasons. Until now, many organizations had blocked RCS entirely because of its encryption, which made it difficult to archive. The new feature gives them a way to support richer messaging while still preserving mandatory records. Archiving occurs via authorized third-party software that integrates directly with Google Messages on work-managed devices. Once enabled by a company's IT, the software will log every interaction inside of a conversation, including messages received, sent, edited, or later deleted. Employees using these devices will see a notification when archiving is active, signaling their conversations are being logged. Google's indicated that this functionality only refers to work-managed Android devices, personal phones and personal profiles are not impacted, and the update doesn't allow employers access to user data on privately-owned devices. The feature must also be intentionally switched on by the organisation; it is not automatically on. The update also brings to the surface a common misconception about encrypted messaging: End-to-end encryption protects content only while it's in transit between devices. When a message lands on a device that is owned and administered by an employer, the organization has the technical ability to capture it. It does not extend to over-the-top platforms - such as WhatsApp or Signal - that manage their own encryption. Those apps can expose data as well in cases where backups aren't encrypted or when the device itself is compromised. This change also raises a broader issue: one of counterparty risk. A conversation remains private only if both ends of it are stored securely. Screenshots, unsafe backups, and linked devices outside the encrypted environment can all leak message content. Work-phone archiving now becomes part of that wider set of risks users should be aware of. For employees, the takeaway is clear: A company-issued phone is a workplace tool, not a private device. Any communication that originates from a fully managed device can be archived, meaning personal conversations should stay on a personal phone. Users reliant on encrypted platforms have reason to review their backup settings and steer clear of mixing personal communication with corporate technology. Google's new archival option gives organisations a compliance solution that brings RCS in line with traditional SMS logging, while for workers it is a further reminder that privacy expectations shift the moment a device is brought under corporate management. 

 A new wave of cyberattacks is using large language models as an offensive tool, according to recent reporting from Anthropic and Oligo Security. Both groups said hackers used jailbroken LLMs-some capable of writing code and conducting autonomous reasoning-to conduct real-world attack campaigns. While the development is alarming, cybersecurity researchers had already anticipated such advancements.  Earlier this year, a group at Cornell University published research predicting that cybercriminals would eventually use AI to automate hacking at scale. The evolution is consistent with a recurring theme in technology history: Tools designed for productivity or innovation inevitably become dual-use. Any number of examples-from drones to commercial aircraft to even Alfred Nobel's invention of dynamite-demonstrate how innovation often carries unintended consequences.  The biggest implication of it all in cybersecurity is that LLMs today finally allow attackers to scale and personalize their operations simultaneously. In the past, cybercriminals were mostly forced to choose between highly targeted efforts that required manual work or broad, indiscriminate attacks with limited sophistication.  Generative AI removes this trade-off, allowing attackers to run tailored campaigns against many targets at once, all with minimal input. In Anthropic's reported case, attackers initially provided instructions on ways to bypass its model safeguards, after which the LLM autonomously generated malicious output and conducted attacks against dozens of organizations. Similarly, Oligo Security's findings document a botnet powered by AI-generated code, first exploiting an AI infrastructure tool called Ray and then extending its activity by mining cryptocurrency and scanning for new targets.  Traditional defenses, including risk-based prioritization models, may become less effective within this new threat landscape. These models depend upon the assumption that attackers will strategically select targets based upon value and feasibility. Automation collapses the cost of producing custom attacks such that attackers are no longer forced to prioritize. That shift erases one of the few natural advantages defenders had.  Complicating matters further, defenders must weigh operational impact when making decisions about whether to implement a security fix. In many environments, a mitigation that disrupts legitimate activity poses its own risk and may be deferred, leaving exploitable weaknesses in place. Despite this shift, experts believe AI can also play a crucial role in defense. The future could be tied to automated mitigations capable of assessing risks and applying fixes dynamically, rather than relying on human intervention. In some cases, AI might decide that restrictions should narrowly apply to certain users; in other cases, it may recommend immediate enforcement across the board. While the attackers have momentum today, cybersecurity experts believe the same automation that today enables large-scale attacks could strengthen defenses if it is deployed strategically.

Asahi denies ransom payment  Japanese beer giant Asahi said that it didn't receive any particular ransom demand from threat actors responsible for an advanced and sophisticated cyberattack that could have exposed the data of more than two million people.  About the attack CEO Atsushi Katsuki in a press conference said that the company had not been in touch with the threat actors. But Asahi has delayed the release of financial results. Even if the company received a ransom demand, it would not have paid, Katsuki said. Asahi Super Dry is one of Japan's most popular beers. Asahi suffered a cyberattack on 29th September. However, the company clarified on October 3 that it was hit by a ransomware attack. Attack tactic  In such incidents, threat actors typically use malicious software to encrypt the target's systems and then ask ransom for providing encryption keys to run the systems again. Asahi said threat actors could have hacked or stolen identity data like phone numbers and names of around two million people- employees, customers and families. Qilin gang believed to be responsible  The firm didn't disclose details of the attacker at the conference. Later, it told AFP via mail that experts hinted towards a high chance of attack by hacking group Qilin. The gang issued a statement that the Japanese media understood as a claim of responsibility. Commenting on the situation,  Katsuki said the firm thought it had taken needed measures to prevent such an incident. "But this attack was beyond our imagination. It was a sophisticated and cunning attack," Katsuki said.  Impact on Asahi business  Interestingly, Asahi delayed the release of third-quarter earnings and recently said that the annual financial results had also been delayed. "These and further information on the impact of the hack on overall corporate performance will be disclosed as soon as possible once the systems have been restored and the relevant data confirmed," the firm said. The product supply hasn't been affected. Shipments will resume in stages while systems recover. "We apologise for the continued inconvenience and appreciate your understanding," Asahi said.

 Cybersecurity researchers at security firm Cleafy have issued a warning regarding a high risk malware campaign aimed at Android users via WhatsApp messages that could jeopardize users' cryptocurrency wallets and bank information. The researchers tracked the threat as Albiriox, a new emerging Android malware family being marketed as malware-as-a-service (MaaS) on underground cybercrime forums.  Modus operandi  The malware propagate through WhatsApp messages which include links to malicious websites that impersonate Google Play Store pages. Currently, they are impersonating a popular discount retail app, but this could quickly change both in terms of campaigns and targets. Rather than having the app delivered directly, victims are persuaded to submit their phone number, on the premise that an installation link will be sent to them on WhatsApp.  After users tap on and download the trojanised app, Albiriox is able to take full control of the compromised device. The malware overlays attacks on more than 400 cryptocurrency wallet and banking apps — displaying fake login screens on top of the legitimate apps to capture credentials as users input them.  Albiriox is an advanced, rapidly evolving malware. The malware also features Vnc-based remote access, which gives the attackers the ability to directly control the infected machines. Initially, campaigns were targeted at Austrian citizens with German-language messages, but is now broadening its reach. The malware is obfuscated with JSONPacker and also it tricks users into allowing the "Install Unknown Apps" permission. When it is running, it contacts its command servers through unencrypted TCP and stays on the bot forever, maintaining active control through a regular series of ping-pong heartbeat messages.  Mitigation tips Security experts emphasize that users should never agree to install apps through phone number submission on websites. Any WhatsApp messages requesting app installations should be immediately deleted without clicking links. This distribution method represents exactly why Google is strengthening measures against sideloading, requiring app developers to register and verify their identities. Cleafy highlights that Albiriox demonstrates the ongoing evolution and increasing sophistication of mobile banking threats. However, users can protect themselves effectively by following several key practices: only install apps from the official Google Play Store, ensure Play Protect is activated, and remain skeptical of any unsolicited installation requests received through messaging apps.  The campaign highlights broader security concerns affecting WhatsApp and similar platforms, particularly as attackers combine social engineering with technical malware capabilities to compromise both devices and accounts.

  A new report from security researchers warns that a humble Wi-Fi router has quietly become one of the most vulnerable gateways into home and work in an era where digital dependency is becoming more prevalent each day. Despite being overlooked and rarely reconfigured after installation, these routers remain one of the most vulnerable gateways to cybercrime.  It is becoming increasingly clear that stalkers, hackers, and unauthorized users can easily infiltrate networks that are prone to outdated settings or weak protections as cyberattacks become more sophisticated. Various studies have shown that encryption standards like WPA3, when combined with strong password hygiene practices, can serve as the first line of defense in the fight against cybercrime. However, these measures can be undermined when users neglect essential security practices, such as safe password practices.  Today, comprehensive security strategies require much more than just a password to achieve the desired results: administrators need to regularly check router-level security settings, such as firewall rules, guest network isolation, administrative panel restrictions, tracking permissions, and timely firmware updates. This is particularly true for routers that can support hundreds, or even thousands of connected devices in busy offices and homes.  Modern wireless security relies on layers of defenses that combine to repel unauthorized access through layered defenses. WPA2 and WPA3 encryption protocols scramble data packets, ensuring that intercepted information remains unreadable by anyone outside of the network.  A user's legitimacy is verified by an authentication prompt prior to any device being permitted on to the network, and granular access-control rules determine who can connect, what they can view, and how deeply they can communicate with the network.  By maintaining secure endpoints—such as updating operating systems, antivirus applications, and restricting administrator access—we further decrease the chances of attackers exploiting weak links in the system. In addition to monitoring traffic patterns constantly, intrusion detection and prevention systems also recognize anomalies, block malicious attempts in real time, and respond to threats immediately.  In conjunction with these measures, people have the capability of creating a resilient Wi-Fi defense architecture that protects both the personal and professional digital environments alike. According to researchers, although it seems trivial to conceal the physical coordinates of a Wi-Fi router, concealing this information is essential both for the safety of the individual and for the security of the organization.  It is possible for satellite internet terminals such as Starlink to unwittingly reveal the exact location of a user-an issue particularly important in conflicting military areas and disaster zones where location secrecy is critical. Mobile hotspots present similar issues as well. In the event that professionals frequently travel with portable routers, their movement can reveal travel patterns, business itineraries, or even extended stays in specific areas of the country.  People who have relocated to escape harassment or domestic threats may experience increased difficulties with this issue, as an old router connected by acquaintances or adversaries may unintentionally reveal their new address to others. It is true that these risks exist, but researchers note that the accuracy of Wi-Fi Positioning System (WPS) tracking is still limited.  There is typically only a short period of time between a router appearing in location databases—usually several days after it has been detected repeatedly by multiple smartphones using geolocation services—conditions that would not be likely to occur in isolated, sparsely populated, or transient locations.  Furthermore, modern standards allow for BSSID randomization, a feature that allows a router's broadcast identifier to be rotated regularly. This rotation, which is similar to the rotation of private MAC addresses on smartphones, disrupts attempts at mapping or re-identifying a given access point over time, making it very difficult to maintain long-term surveillance capabilities. The first line of defense remains surprisingly simple: strong, unique passwords. This can be accomplished by reinforcing the basic router protections that are backed by cybersecurity specialists. Intruders continue to exploit weak or default credentials, allowing them to bypass security mechanisms with minimal effort and forging secure access keys with minimal effort.  Experts recommend long, complex passphrases enriched with symbols, numbers, and mixed character cases, along with WPA3 encryption, as a way to safeguard data while it travels over the internet. Even so, encryption alone cannot cover up for outdated systems, which is why regular firmware updates and automated patches are crucial to closing well-documented vulnerabilities that are often ignored by aging routers.  A number of features that are marketed as conveniences, such as WPS and UPnP, are widely recognized as high-risk openings which are regularly exploited by cybercriminals. Analysts believe that disabling these functions drastically reduces one's exposure to targeted attacks. Aside from updating the default administrator usernames, modern routers come with a number of security features that are often left untouched by organizations and households alike.  As long as a guest network is used, you can effectively limit unauthorized access and contain potential infections by changing default administrator usernames, enabling two-step verification, and segmenting traffic. As a general rule, firewalls are set to block suspicious traffic automatically, while content filters can be used to limit access to malicious or inappropriate websites.  Regular checks of device-level access controls ensure that only recognized, approved hardware may be connected to the network, in addition to making sure that only approved hardware is allowed access. The combination of these measures is one of the most practical, yet often neglected, frameworks available for strengthening router defenses, preventing attackers from exploiting breaches in digital hygiene, and limiting the opportunities available to attackers.  As reported by CNET journalist Ry Crist in his review of major router manufacturers' disclosures, the landscape of data collection practices is fragmented and sometimes opaque. During a recent survey conducted by the companies surveyed, we found out that they gathered a variety of information from users, ranging from basic identifiers like names and addresses to detailed technical metrics that were used to evaluate the performance of the devices.  Despite the fact that most companies justify collecting operational data as an essential part of maintenance and troubleshooting, they admit that this data is often incorporated into marketing campaigns as well as shared with third parties. There remains a large amount of ambiguity in the scope and specificity of the data shared by CommScope.  In its privacy statement, which is widely used by consumers to access the Internet, CommScope notes that the company may distribute "personal data as necessary" to support its services or meet business obligations. Nevertheless, the company does not provide sufficient details about the limits of the sharing of this information. However, it is somewhat clearer whether router makers harvest browsing histories when we examine their privacy policies.  It is explicitly stated by Google that its systems do not track users' web activity. On the other hand, both Asus and Eero have expressed a rejection of the practice to CNET directly. TP-Link and Netgear both maintain that browsing data can only be collected when customers opt into parental controls or similar services in addition to that.  The same is true of CommScope, which claimed that Surfboard routers do not access individuals' browsing records, though several companies, including TP-Link and CommScope, have admitted that they use cookies and tracking tools on their websites. There is no definitive answer provided by public agreements or company representatives for other manufacturers, such as D-Link, which underscores the uneven level of transparency throughout the industry.  There are also inconsistencies when it comes to the mechanisms available to users who wish to opt out of data collection. In addition, some routers, such as those from Asus and Motorola managed by Minim, allow customers to disable certain data sharing features in the router’s settings. Nest users, on the other hand, can access these controls through a privacy menu that appears on the mobile app.  Some companies, on the other hand, put heavier burdens on their customers, requiring them to submit e-mails, complete online forms, or complete multi-step confirmation processes, while others require them to submit an email. Netgear's deletion request form is dedicated to customers, whereas CommScope offers opt-out options for targeted advertising on major platforms such as Amazon and Facebook, where consumers can submit their objections online.  A number of manufacturers, including Eero, argue that the collection of selected operational data is essential for the router to function properly, limiting the extent to which users can turn off this tracking. In addition, security analysts advise consumers that routers' local activity logs are another privacy threat that they often ignore.  The purpose of these logs is to collect network traffic and performance data as part of diagnostic processes. However, the logs can inadvertently reveal confidential browsing information to administrators, service providers, or malicious actors who gain access without authorization. There are several ways to review and clear these records through the device's administration dashboard, a practice which experts advise users to adhere to on a regular basis.  It is also important to note that the growing ecosystem of connected home devices, ranging from cameras and doorbells to smart thermostats and voice assistants, has created more opportunities to be monitored, if they are not appropriately secured. As users are advised to research the data policies of their IoT hardware and apply robust privacy safeguards, they must acknowledge that routers are just one part of a much larger and deeper digital ecosystem.  It has been suggested by analysts that today's wireless networks require an ecosystem of security tools that play a unique role within a larger defensive architecture in order to safeguard them, as well as a number of specialized security tools. As a result of the layered approach modern networks require, frameworks typically categorize these tools into four categories: active, passive, preventive, and unified threat management.  Generally speaking, active security devices function just like their wired counterparts, but they are calibrated specifically to handle the challenges of wireless environments, for example. It includes firewalls that monitor and censor incoming and outgoing traffic in order to block intrusions, antivirus engines that continuously scan the airwaves for malware, and content filtering systems designed to prevent access to dangerous or noncompliant websites. This type of tool is the frontline mechanism by which a suspicious activity or a potential threat can be identified immediately and key controls enforced at the moment of connection.  Additionaly, passive security devices, in particular wireless intrusion detection systems, are frequently used alongside them. In addition to monitoring network traffic patterns for anomalies, they also detect signs of malware transmission, unusual login attempts or unusual data spikes. These tools do not intervene directly. Administrators are able to respond to an incident swiftly through their monitoring capabilities, which allows them to isolate compromised devices or adjust configurations prior to an incident escalate, which allows administrators to keep a close eye on their network.  A preventive device, such as a vulnerability scanner or penetration testing appliance, also plays a crucial role. It is possible for these tools to simulate adversarial behaviors, which can be used to probe network components for weaknesses that can be exploited without waiting for an attack to manifest. By using preventive tools, organizations are able to uncover misconfigurations, outdated protections, or loopholes in the architecture of the systems, enabling them to address deficiencies well before attackers are able to exploit them.  In a way, the Unified Threat Management system provides a single, manageable platform at the edge of the network, combining many of these protections into one. Essentially, UTM devices are central gateways that integrate firewalls, anti-malware engines, intrusion detection systems, and other security measures, making it easier to monitor large or complex environments.  A number of UTM solutions also incorporate performance-monitoring capabilities, which include bandwidth, latency, packet loss, and signal strength, essential metrics for ensuring a steady and uninterrupted wireless network. There are several ways in which administrators can receive alerts when irregularities appear, helping them to identify bottlenecks or looming failures before they disrupt operations.  In addition to these measures, compliance-oriented tools exist to audit network behavior, verify encryption standards, monitor for unauthorized access, and document compliance with regulations. With these layered technologies, it becomes clear that today's wireless security opportunities extend far beyond passwords and encryption to cover a broad range of threats and requires a coordinated approach that includes detection, prevention, and oversight to counter today's fast-evolving digital threats.  As far as experts are concerned, it is imperative to protect the Wi-Fi router so that it may not be silently collected and accessed by unauthorized individuals. As cyberthreats grow increasingly sophisticated, simple measures such as updating firmware, enabling WPA3 encryption, disabling remote access, and reviewing connected devices can greatly reduce the risk.  Users must be aware of these basic security principles in order to protect themselves from tracking, data theft, and network compromise. It is essential that router security is strengthened because it is now the final line of defense for making sure that personal information, online activities, and home networks remain secure and private.

Open in the wild flaw The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog after exploitation in the wild. The flaw CVE-2025-55182 (CVSS score: 10.0) or React2Shell hints towards a remote code execution (RCE) that can be triggered by an illicit threat actor without needing any setup.  Remote code execution  According to the CISA advisory, "Meta React Server Components contains a remote coThe incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groupsde execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints." The problem comes from unsafe deserialization in the library's Flight protocol, which React uses to communicate between a client and server. It results in a case where an unauthorised, remote hacker can deploy arbitrary commands on the server by sending specially tailored HTTP requests. The conversion of text into objects is considered a dangerous class of software vulnerability.  About the flaw  "The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization," said Martin Zugec, technical solutions director at Bitdefender. The incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groups such as Jackpot Panda and Earth Lamia. "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," AWS said. Attack tactic  Few attacks deployed cryptocurrency miners and ran "cheap math" PowerShell commands for successful exploitation. After that, it dropped in-memory downloaders capable of taking out extra payload from a remote server. According to Censys, an attack surface management platform, 2.15 million cases of internet-facing services may be affected by this flaw. This includes leaked web services via React Server Components and leaked cases of frameworks like RedwoodSDK, React Router, Waku, and Next.js. According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.