Agregátor RSS

New flaw leads to denial-of-service on affected NGINX configurations. If ASLR is disabled, it may become a remote code execution. 

Another Linux kernel flaw has handed local unprivileged users a way to peek at files they should never be able to read, including root-only secrets such as SSH keys. The bug affects multiple LTS kernel lines from 5.10 upward, although a fix has already landed – and there is now a proposal for reducing the odds of similar surprises in future. What FOSS analytics vendor Metabase memorably dubbed the strip-mining era of open source security continues. This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials, as the KnightLi blog explains. Despite its official designation, a demo exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy Fail, or Dirty Frag, or indeed Fragnesia, but we feel it is safe to say it hasn't been a good month. According to a report on Linux Stans, it affected LTS kernel versions 5.10, 5.15, 6.1, 6.6, 6.12, 6.18 and 7.0. The good news is that it's already been fixed: Linus himself, in commit 31e62c2, called the fix "ptrace: slightly saner 'get_dumpable()' logic." The issue was reported on the oss-security list on Friday by security consultancy Qualys, as noted on X by grsecurity's Brad Spengler. In the same thread, Altan Baig pointed out that the underlying issue was reported by Jann Horn on the Linux Kernel Mailing List way back in 2020. The problem with tracking security reports, which Penguin Emperor Torvalds described recently, is not new, alas. ModuleJail This also seems like a good time to look at what we thought was an interesting new defensive measure, Jasper Nuyens' ModuleJail. The top line of the README summarizes it: The mention of "no AI inside the tool" is arguably something of a giveaway, and you can see a CLAUDE.md file in the repo. Even so, how it works is simple enough. Although Linux has a monolithic kernel, it is modular. When the kernel's source code is compiled, the person or tool building it can choose if each individual component is included (built into the binary), not included at all, or compiled as a module, which can be loaded on the fly as and when it's needed. Since the kernel is mostly device drivers, it's normal for distribution vendors to compile most non-essential components as kernel modules – as the Arch wiki explains. Blacklisting a module just means adding its name to a list of modules not to load. Blacklisting unused modules for added security isn't a new idea. It's in the RHEL 6 documentation, for instance, and a DoHost blog post from last year describes it as a security measure. ModuleJail simply automates the process. It blacklists any modules not currently in use. Probably safe for a server, but rather less ideal for a laptop or machine where you need to plug in new hardware on the fly. Connecting a USB headset, say, is quite different from plugging one into a headphone socket. While a device with a jack plug uses your existing sound controller, by connecting a USB one, you're effectively adding a new sound controller – just one that happens to be connected over USB. ModuleJail mentions that its approach avoids changing the initramfs. An initramfs, like an initrd, is a file containing a temporary RAM disk, so that a generic kernel can find and load the drivers it needs for the particular box it's running on – even before it can find the machine's SSD and mount the root partition. Back in the 1990s, as grumpy old graybeards such as this vulture recall, recompiling your kernel was a standard part of periodic system maintenance. One benefit of building the kernel customized for your own computer was eliminating the need for an initramfs. If all the drivers are built in, there's no need for this temporary stage, although as the ArchWiki notes, this does limit some advanced features, which, for instance, systemd uses. We would love to see some of the systemd-free distros incorporate such automatic ModuleJail-style identification of essential modules, and use it to build a custom kernel on the fly, then banish the use of initramfs. (Maybe just keep the all-options-enabled installation kernel around as an emergency fallback.) Aside from a few special cases such as OpenZFS, this should work on most hardware – and make life simpler, quicker, and perhaps slightly more secure. ®

Inspirace iPhonem je znatelná nejen po vizuální stránce • Líbí se nám kvalitní zpracování i displej s vysokým jasem • Nepříliš silnou disciplínou telefonu je jeho fotoaparát

Google v některých zemích testuje omezení kapacity Gmailu. • Pokud s účtem nepropojíte telefonní číslo, dostanete jen 5 GB. • Po zadání čísla firma zpřístupní standardních 15 GB místa.

Odborníci z Penn State University zkoumají způsob ukládání informací na lepicí pásku. Principiálně by podle nich bylo možné kombinací odlepení a zpětného přilepení dosáhnout uložení informace, kterou opětovným odlepením dokážou přečíst. Výhodou je, že způsob uložení i přečtení je čistě mechanický. Zde o tom referují ve volně dostupném článku. Zajímavé bude sledovat zda se jim v rámci výzkumu podaří prokázat použitelnost i v jiné než čistě akademické oblasti. Mne osobně by zajímalo, zda by například určité (nechtěné) perforace pásky nezlepšily nějaký aspekt v procesu ukládání, čtení, hustoty nebo trvanlivosti uložené informace...

The TanStack team has documented security measures and proposals following a damaging breach last week, including the possibility of making pull requests (PRs) by invitation only - a break from the open-contribution model that defines most open source projects. The attack used code from the Shai-Hulud worm, published by malware outfit TeamPCP, which can extract secrets from memory used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack's use of the pull_request_target feature, causing the malicious code to be built and run by a GitHub Action, poisoning a cache used across the entire repository. The TanStack team said that its workflow used a pattern GitHub warns against: pull_request_target id intended for PRs that "do not require dangerous processing, say building or running the content of the PR." Since the attack, TanStack has removed all use of pull_request_target from its continuous integration (CI) pipeline, disabled caches used by pnpm (a Node.js package manager) and GitHub Actions, pinned actions to commit SHA (Secure Hash Algorithm) hashes rather than retargetable tags, and disabled use of text messages for 2-factor authentication. The TanStack repository also now uses a feature of pnpm 11 called minimumReleaseAge, which requires dependencies to have been published for a set period before they can be installed. The idea is that compromised packages are usually detected and removed before that period completes. A more drastic proposal is closing the ability for external contributors to open pull requests at all. "We are absolutely not going closed source," the team said, but it could put in place a mechanism where contributions begin with an issue or discussion, and a PR can be submitted only by invitation. TanStack acknowledged that it would be a radical step to take as "open PRs are part of how a lot of us became maintainers in the first place." It might not be necessary if the repository can be hardened enough that malicious PRs cannot cause damage. It is a debate that maintainers of other open source projects will watch with interest. Supply chain security is a huge issue, but making pull requests invitation-only could hurt projects by deterring contributions. Another aspect of this is the extent to which GitHub itself is to blame. "Cache scoping in GitHub Actions shouldn't silently bridge fork PRs and base-repo branches," said the TanStack team.®

A new study challenges the idea that consciousness is necessary to make sense of language.

Our brains keep on whirling long after we drift off to sleep.

Each night, the hippocampus, a major hub for learning, replays experiences from the previous day and etches them into memory. And even in deep sleep, neurons in sensory regions of the brain spark with activity when they receive new stimuli, like sounds.

This raises a provocative question: How much is consciousness required to make sense of the world around us?

A new study suggests the unconscious brain can handle far more than simple sensory cues. Recording electrical activity from patients under general anesthesia, a team at Baylor College of Medicine and collaborators found the hippocampus continued processing sounds, words, and speech while patients listened to alternating tones and podcast clips.

Groups of neurons shifted their activity depending on the type of word spoken—nouns or verbs, for example—and predicted the next word in sentences.

“Our findings show that the brain is far more active and capable during unconsciousness than previously thought,” study author Sameer Sheth said in a press release. “Even when patients are fully anesthetized, their brains continue to analyze the world around them.”

Scientists have long thought that language processing, a complex computation, relied on awareness. Anesthesia disrupts large-scale communication across the brain, seemingly making complex language processing impossible. But the new findings suggest that even as global brain dynamics break down, some local circuits retain the ability to process sophisticated information—and, at least for storytelling, predict what comes next.

To be clear, it doesn’t mean that participants were secretly awake. Whether the brain retains local processing power during sleep, coma, or other states of unconsciousness is also up for debate.

But “this work pushes us to rethink what it means to be conscious,” said Sheth. “The brain is doing much more behind the scenes than we fully understand.”

Lights Out

We slip into unconsciousness every night. The brain shifts gears.

Compared to when we’re awake and alert, the mind’s activity patterns change dramatically. The hippocampus reactivates neurons involved in recent learning, rapidly replaying their activity patterns to strengthen neural connections. Elsewhere, the brain generates short bursts of electrical activity called sleep spindles, which shut off communication between regions necessary for processing new information from the outside world. These unique electrical signals are crucial for sorting new experiences and integrating them into long-term memory.

The brain is clearly busy during unconsciousness, but it also seems largely sealed off from its surroundings. Over the past two decades, however, scientists have increasingly realized the sleeping brain remains surprisingly alert.

In one study, volunteers repeatedly exposed to unfamiliar sounds during sleep were able to identify them after waking up. In another, participants hearing their own names or angry voices triggered brain activity even in deep sleep, a phenomenon called “sentinel processing.”

Scientists have also recorded directly from the brains of people with epilepsy, who had electrodes implanted to pinpoint the source of seizures. The researchers confirmed that the auditory cortex—the first region involved in processing sound—lit up with activity, but it appeared disconnected with regions responsible for interpreting meaning.

Similar patterns emerged under other states of unconsciousness. After receiving propofol, a common drug used to induce general anesthesia, patients still showed activity in their auditory cortex, but information relay to higher regions involved in cognition seemed to break down.

Or did it?

“The brain has developed such amazing, sophisticated mechanisms for doing all these complex tasks all day long, that it can do some of these things even without us being aware,” Sheth told Nature. They decided to take another look.

Someone’s Home

The team focused on the hippocampus, best known as the brain’s memory center. Linking it to language processing seems like a stretch. But mounting evidence suggest the hub is responsible for far more than memory. It may also help organize information more broadly, from the mapping of physical spaces to watching other unfolding events like language.

It’s still a niche idea, said Sheth. But the hippocampus could play a much broader role in structuring the world around us—even without awareness. “How is the world organized? The hippocampus may be part of that as well,” he said.

To test the idea, the team recruited seven people undergoing epilepsy surgery. While they were under propofol anesthesia, the team inserted tiny probes into the hippocampus. Called Neuropixels, the implants are thinner than a human hair but packed with over a thousand sensors that eavesdrop on the electrical chatter of hundreds of neurons at once.

The team first played repetitive beeps to three participants, occasionally interrupted by random boops at a different pitch. In the beginning, neurons were indifferent to the oddball sounds. But within 10 minutes, their activity levels showed they were getting better at separating the unexpected tones from the normal ones.

“They learned over time to pay more attention to oddball sounds,” even while the person was fully unconscious, said Sheth.

A second test took things further. The team played 10-minute snippets from The Moth Radio Hour, a storytelling podcast featuring speakers from all walks of life, each with distinct intonations, turns of phrases, and accents.

Across the recordings, specific groups of hippocampal neurons responded to different linguistic features. Some were attuned to uncommon words like “cosmos.” Others tracked grammatical structure, responding differently to nouns, verbs, or adjectives.

The neurons also cared about semantic meaning, or the relationships between words. For example, they seemed to recognize that “cat” is conceptually closer to “dog” than an unrelated word like “pen.” The hippocampus also seemed to anticipate upcoming words based on the context of a sentence, with activity patterns similar to those seen in the awake brain.

“We are always making predictions about what we’re about to hear next,” said Sheth. Even under anesthesia, these neurons appeared to keep track of the narrative, indicating a “very sophisticated form of processing of the natural speech that they’re listening to.”

Despite intense neural activity, patients didn’t remember any of the podcast stories upon waking. Still, traces of the experience may have lingered unconsciously. In future studies, the team plans to test for this by exposing unconscious participants to different podcasts then later asking which ones feel familiar. They also want to explore whether the hippocampus processes stories told in unfamiliar languages.

The findings are preliminary, drawn from a small group of people under one type of anesthetic. The sleeping or comatose brain may work differently. But the work could help scientists decipher brain activity in people with severe traumatic brain injuries in a vegetative state. It could also guide the development of implants to rewire damaged neural circuits to other parts of the brain and reboot communication.

“Maybe the most important thing is what can we do about this,” said Sheth. For someone who’s unconscious, “can we bring them back?”

The post The Fully Anesthetized Brain Can Still Track a Podcast appeared first on SingularityHub.

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token. [...]

Unikátní letoun Solar Impulse 2 se po vybití baterií zřítil do Mexického zálivu • V minulosti obletěl svět a překonal rekord v délce letu (117 hodin a 52 minut) • Původně ekologický projekt sloužil v době nehody jako autonomní armádní dron

Microsoft plans to retire “Together Mode” in Teams next month and is encouraging users to access its Gallery view for video calls instead. 

The company launched Together Mode in the early months of the Covid-19 pandemic, as Teams usage rocketed and businesses sought ways to connect staff when physical offices closed due to social distancing policies. 

Together Mode was positioned as a “shared virtual space” to enhance the feeling of connection while on a video call, with participants’ video feed cropped and placed in virtual scenes such as a conference room, coffee shop, or amphitheater. Microsoft claimed that Together Mode users were less likely to experience video meeting fatigue — a common complaint among remote workers as tools such as Teams and Zoom became the norm for office collaboration.

The feature could be seen as part of a wider push for more engaging and immersive meeting experiences, a move that extended to Microsoft’s metaverse for work concept, with its Mesh 3D meeting platform.

Microsoft retired Mesh last December (though an app for immersive events is still available with certain Teams subscriptions), and now Together Mode faces the same fate. 

Together Mode will no longer be available as of June 30, a move that will “simplify the meeting experience” for users, said Katarina Tranker, Teams product manager, in a Monday blog post. At this point, the feature will be removed as an option from the View menu in Teams meetings, with the Gallery view the primary layout for group meetings. 

“Today, the core need Together mode was designed to support, namely seeing the people who matter in a meeting, can now be fully met by the modern Gallery view, which can display up to 49 participants at once,” said Tranker.

The move to a single layout means fewer clicks for users and enables the product development team to move quicker to add new features, Microsoft said, while the Gallery is also less demanding on devices.

Exploit attempts are already hammering a newly disclosed NGINX bug dubbed "NGINX Rift," proving once again that attackers read patch notes faster than most admins. Researchers at VulnCheck said they are seeing active exploitation tied to CVE-2026-42945, a heap buffer overflow flaw affecting both NGINX Open Source and NGINX Plus that was disclosed last week after apparently sitting unnoticed for 18 years. VulnCheck's Patrick Garrity said the company observed exploitation activity on its canary systems "just days after the CVE was published." "An unauthenticated attacker can crash the NGINX worker process by sending crafted HTTP requests," he said. "On servers with ASLR disabled – which, of course, is extremely unlikely – code execution is possible." Researchers at Depthfirst disclosed the bug last week, saying the flaw had been sitting in NGINX's rewrite module since 2008. The vulnerability, nicknamed "NGINX Rift," was assigned a CVSS score of 9.2. According to F5, which acquired NGINX in 2019, the flaw can be triggered by specially crafted HTTP requests under certain server configurations. In most cases, the result is a crashed worker process and a forced restart, though systems running without standard Linux memory protections could potentially face code execution. A public proof-of-concept exploit appeared the same day patches dropped, which helps explain why researchers started seeing exploitation attempts almost immediately. In practice, turning this into reliable remote code execution takes a pretty specific setup. The target server must be running a specific rewrite configuration, attackers need enough knowledge of that setup to exploit it correctly, and ASLR must also be disabled on the host system. Security researcher Kevin Beaumont noted that while the bug is real, modern Linux defaults significantly reduce the likelihood of successful real-world RCE. "Regarding CVE-2026-42945 in nginx – no modern (or even old) Linux distribution runs nginx without ASLR," Beaumont said. "So, cool, sweet technical vuln – it's valid – but the RCE apocalypse ain't coming." Even so, VulnCheck said Censys scans surfaced roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, which means patching teams everywhere just inherited another very long week. ®

What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,

What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,[email protected]

Na jaře roku 2010 přidal Google do svých map navigaci na kole. Nejdříve v USA, o dva a tři roky později pokryl i několik zemí západní a severní Evropy. Pak expanzi ukončil a nepřidal ani žádné nové funkce. Na pokrytí Česka nebo Slovenska nikdy nedošlo, smůlu ale má i bezmála 50milionové ...

The Polish government is urging public officials and "entities within the National Cybersecurity System" to stop using Signal, directing them to instead use an encrypted messenger developed by a leading Polish research organization. In an announcement on Friday, the government stated that Signal comes with security risks, including social engineering attacks orchestrated by advanced persistent threat (APT) groups. "National-level Computer Security Incident Response Teams (CSIRTs) have identified phishing campaigns conducted by APT groups linked to hostile state agencies," the announcement says. "These attacks target, among others, public figures and government employees." Offering examples of these social engineering campaigns, the government said attackers impersonate Signal support staff and abuse this perceived trust to take over victims' accounts. Attackers trick users into opening malicious links by sending messages designed to create a sense of urgency, such as those supposedly informing them of their account being blocked. Successful attempts can expose victims' phone numbers and, crucially, messages sent between government officials, potentially threatening national security. A more detailed advisory cited "recent security incidents" related to Signal as reasons for the change. It didn't specify what these recent attacks were, or even who was behind them, but it can be reasonably assumed that the Polish government was indirectly referencing Russia's phishing attempts against both Signal and WhatsApp, which were revealed in March. Dutch intelligence agencies AIVD and MIVD reported a "large-scale" campaign targeting their own government officials, noting that some attacks were successful. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that successful attacks were carried out on government bods as well as journalists. Beyond Signal support staff impersonation, the agencies said the attacks can also involve outsiders persuading victims to surrender their verification codes or PINs, or abusing the platform's Linked Devices feature via QR codes to take control of accounts. The FBI, CISA, and the German information security department issued near-identical warnings. The alternative Poland announced the launch of mSzyfr Messenger in March, saying it was designed for use by public administration entities, those involved in the National Cybersecurity System, and others to be decided by the government. Developed by the Ministry of Digital Affairs and the Scientific and Academic Computer Network – National Research Institute (NASK), mSzyfr was touted by the government as "the first secure instant messenger fully under Polish jurisdiction." It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option, but users can also opt for Google or FreeOTP. Further, if users want to retain access to messages even after logging out of the platform, they must set up a recovery key, which the installation manual suggests storing in a password manager. That undercuts the government's emphasis on Polish jurisdiction somewhat, since many popular password managers are either foreign-owned or open source. An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description. It also claimed the US-based platforms are not GDPR-compliant. The mSzyfr app is not publicly available. Only individuals working for approved organizations are able to receive invites to join the platform. It replaces Swiss-founded Threema, which the Polish government began endorsing for state officials and law enforcement in 2022, but data such as messages cannot be transferred because of the apps' encrypted nature. All Threema users should expect to receive an invite to mSzyfr in the near future, if they have not already. The Register asked Signal to comment on Poland's announcement, but it did not immediately respond. It did, however, recently address security concerns raised by various intelligence agencies last week, introducing new warnings and alerts inside the platform to help users weed out potential impostors and bad actors. ®

IT threat evolution in Q1 2026. Mobile statistics
IT threat evolution in Q1 2026. Non-mobile statistics

In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.

To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.

The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The quarter in numbers

According to Kaspersky Security Network, in Q1 2026:

• More than 2.67 million attacks utilizing malware, adware, or unwanted mobile software were prevented.
• The Trojan-Banker category was the prevalent mobile malware threat with a 10.86% share of total detections.
• More than 306,000 malicious installation packages were discovered, including:
  • 162,275 packages related to mobile banking Trojans;
  • 439 packages related to mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices decreased to 2,676,328 in Q1, down from 3,239,244 in the previous quarter.

Attacks on users of Kaspersky mobile solutions, Q3 2024 — Q1 2026 (download)

The overall drop in attack volume stems primarily from a reduction in adware and RiskTool detections. Nonetheless, this trend does not equate to a lower risk for mobile users. As shown later in this report, the number of unique users targeted by these threats remained relatively stable.

In Q1, Synthient researchers identified a link between the notorious Kimwolf botnet and the IPIDEA proxy network. This network was later taken down in cooperation with GTIG.

In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer.

The Trojan code, meticulously concealed, was embedded into the infected Android apps. The obfuscated malicious Rust library was decrypted using a Dalvik-like virtual machine custom-built by the attackers. The iOS version of the malware also underwent several changes; specifically, the attackers began leveraging Apple’s proprietary Vision framework for optical character recognition (OCR).

Mobile threat statistics

The number of Android malware samples saw a slight increase compared to Q4 2025, reaching a total of 306,070.

Detected malicious and potentially unwanted installation packages, Q1 2025 — Q1 2026 (download)

The detected installation packages were distributed by type as follows:

Detected mobile apps by type, Q4 2025* — Q1 2026 (download)

* Data for the previous quarter may differ slightly from previously published figures due to certain verdicts being retrospectively revised.

Threat actors once again ramped up the production of new banking Trojans; as a result, this category overtook all others in volume, accounting for more than half of all installation packages.

Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q4 2025 — Q1 2026 (download)

* The total percentage may exceed 100% if the same users encountered multiple attack types.

Following the surge in banking Trojan installation packages, the number of associated attacks also rose, causing Trojan-Banker apps to climb one spot in terms of their share of targeted users. Mamont variants emerged as the most prevalent banking Trojans, accounting for 73.5% of detections, with the rest of the users encountering Faketoken, Rewardsteal, Creduz, and other families.

Yet banking Trojans were still outpaced by adware and RiskTool-type unwanted apps when measured by the total number of affected users. Despite a decrease in their share of installation packages, these two app types retained their positions as the top two threats by attack volume. The most common adware detections involved HiddenAd (44.9%) and MobiDash (38.1%), while most frequently seen RiskTool apps were Revpn (67%) and SpyLoan (20.5%).

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

Verdict %* Q4 2025 %* Q1 2026 Difference in p.p. Change in ranking Backdoor.AndroidOS.Triada.ag 2.62 7.09 +4.48 +10 DangerousObject.Multi.Generic. 6.75 5.84 -0.92 -1 DangerousObject.AndroidOS.GenericML. 3.52 5.51 +1.99 +6 Trojan-Banker.AndroidOS.Mamont.jo 0.00 5.28 +5.28 Trojan.AndroidOS.Fakemoney.v 5.40 3.44 -1.96 -1 Trojan-Downloader.AndroidOS.Keenadu.l 0.00 3.35 +3.35 Trojan-Banker.AndroidOS.Mamont.jx 0.00 3.09 +3.09 Backdoor.AndroidOS.Triada.z 4.87 3.08 -1.79 -2 Trojan.AndroidOS.Triada.fe 5.01 2.98 -2.02 -4 Backdoor.AndroidOS.Keenadu.a 2.07 2.73 +0.66 +6 Trojan-Banker.AndroidOS.Mamont.jg 0.34 2.37 +2.03 Trojan.AndroidOS.Triada.hf 2.15 2.23 +0.07 +3 Trojan.AndroidOS.Boogr.gsh 2.35 2.15 -0.20 0 Trojan.AndroidOS.Triada.ii 5.68 2.07 -3.60 -11 Backdoor.AndroidOS.Triada.ae 1.91 1.76 -0.16 +3 Backdoor.AndroidOS.Triada.ab 1.79 1.72 -0.08 +3 Trojan.AndroidOS.Triada.gn 2.38 1.58 -0.80 -5 Trojan-Banker.AndroidOS.Mamont.gg 1.56 1.50 -0.06 +2 Trojan.AndroidOS.Triada.ga 1.48 1.50 +0.01 +4 Backdoor.AndroidOS.Triada.ad 0.53 1.40 +0.87 +44

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The pre-installed Triada.ag backdoor rose to the top spot; it is similar to the older Triada.z version we documented previously. Because the same variant was pre-installed across a wide range of devices, the total number of affected users is aggregated. Consequently, Triada outpaced even Mamont, as users encountered a variety of Mamont variants, causing the share of that banking Trojan to spread across multiple rows. Other pre-installed Triada variants (Triada.z, Triada.ae, Triada.ab, and Triada.ad) also made the rankings. Furthermore, we observed increasing activity from the Keenadu.a backdoor, while diverse variants of the embedded Triada Trojan remained in the rankings.

Mobile banking Trojans

Q1 2026 saw a characteristic rise in mobile banking Trojan activity, with the number of packages totaling 162,275, a 50% increase compared to the prior quarter.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2025 — Q1 2026 (download)

We saw a similar growth in the previous quarter, with banking Trojan volumes rising by 50% during that period as well. Various Mamont variants accounted for the absolute majority of packages and represented nearly every entry in the rankings of most frequent banking Trojans by affected user count.

TOP 10 mobile bankers Verdict %* Q4 2025 %* Q1 2026 Difference in p.p. Change in ranking Trojan-Banker.AndroidOS.Mamont.jo 0.00 15.75 +15.75 Trojan-Banker.AndroidOS.Mamont.jx 0.00 9.22 +9.22 Trojan-Banker.AndroidOS.Mamont.jg 1.47 7.08 +5.61 +24 Trojan-Banker.AndroidOS.Mamont.gg 6.79 4.48 -2.32 -3 Trojan-Banker.AndroidOS.Mamont.ks 0.00 3.98 +3.98 Trojan-Banker.AndroidOS.Agent.ws 6.03 3.78 -2.25 -2 Trojan-Banker.AndroidOS.Mamont.hl 4.30 3.27 -1.03 +1 Trojan-Banker.AndroidOS.Mamont.iv 6.00 3.08 -2.92 -3 Trojan-Banker.AndroidOS.Mamont.jb 3.93 3.07 -0.86 +1 Trojan-Banker.AndroidOS.Mamont.jv 0.00 2.79 +2.79

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.

IT threat evolution in Q1 2026. Non-mobile statistics
IT threat evolution in Q1 2026. Mobile statistics

The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.

Quarterly figures

In Q1 2026:

• Kaspersky products blocked more than 343 million attacks that originated with various online resources.
• Web Anti-Virus responded to 50 million unique links.
• File Anti-Virus blocked nearly 15 million malicious and potentially unwanted objects.
• 2938 new ransomware variants were detected.
• More than 77,000 users experienced ransomware attacks.
• 14% of all ransomware victims whose data was published on threat actors’ data leak sites (DLS) were victims of Clop.
• More than 260,000 users were targeted by miners.

Ransomware Quarterly trends and highlights Law enforcement success

In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers.

A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.

In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020.

In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation.

In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.

Vulnerabilities and attacks

The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacing Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%).

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In Q1 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3 2025 levels following a surge in Q4 2025.

Number of new ransomware modifications, Q1 2025 — Q1 2026 (download)

Number of users attacked by ransomware Trojans

Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month.

Number of unique users attacked by ransomware Trojans, Q1 2026 (download)

Attack geography TOP 10 countries and territories attacked by ransomware Trojans Country/territory* %** 1 Pakistan 0.79 2 South Korea 0.64 3 China 0.52 4 Tajikistan 0.40 5 Libya 0.38 6 Turkmenistan 0.36 7 Iraq 0.35 8 Bangladesh 0.33 9 Rwanda 0.30 10 Cameroon 0.28

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans Name Verdict %* 1 (generic verdict) Trojan-Ransom.Win32.Gen 33.90 2 (generic verdict) Trojan-Ransom.Win32.Crypren 6.38 3 WannaCry Trojan-Ransom.Win32.Wanna 5.87 4 (generic verdict) Trojan-Ransom.Win32.Encoder 4.68 5 (generic verdict) Trojan-Ransom.Win32.Agent 3.80 6 LockBit Trojan-Ransom.Win32.Lockbit 2.80 7 (generic verdict) Trojan-Ransom.Win32.Phny 1.99 8 (generic verdict) Trojan-Ransom.MSIL.Agent 1.96 9 (generic verdict) Trojan-Ransom.Python.Agent 1.93 10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.89

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners Number of new variants

In Q1 2026, Kaspersky solutions detected 3485 new modifications of miners.

Number of new miner modifications, Q1 2026 (download)

Number of users attacked by miners

In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q1 2026 (download)

Attack geography TOP 10 countries and territories attacked by miners Country/territory* %** 1 Senegal 3.19 2 Turkmenistan 3.06 3 Mali 2.63 4 Tanzania 1.62 5 Bangladesh 1.06 6 Ethiopia 0.95 7 Panama 0.88 8 Afghanistan 0.79 9 Kazakhstan 0.77 10 Bolivia 0.75

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In Q1 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems.

In March, researchers with GTIG and iVerify reported the discovery of an in-the-wild exploit chain targeting both iOS and macOS devices. The exploit kit was apparently marketed on the dark web, providing threat actors with a suite of spyware capabilities alongside specialized cryptocurrency exfiltration modules. The exploit was delivered via drive-by downloads when victims visited various compromised websites. Our analysis confirmed that the toolkit included an updated version of a component previously identified in the Operation Triangulation attack chain.

Devices running macOS were similarly impacted by the high-profile supply chain attack targeting the Axios npm package, a widely used HTTP client for JavaScript. The installation of the infected package led to the deployment of a backdoor on macOS devices.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The share of PasivRobber spyware attacks is beginning to decline, giving way to more traditional adware and Monitor-class software capable of tracking user activity. The popular Amos stealer also maintains its presence within the TOP 20.

Geography of threats to macOS TOP 10 countries and territories by share of attacked users Country/territory %* Q4 2025 %* Q1 2026 China 1.28 1.97 France 1.18 1.07 Brazil 1.13 0.98 Mexico 0.72 0.52 Germany 0.71 0.45 The Netherlands 0.62 0.75 Hong Kong 0.49 0.53 India 0.42 0.48 Russian Federation 0.34 0.37 Thailand 0.24 0.27

* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q1 2026, the share of devices attacking Kaspersky honeypots via the SSH protocol saw a significant increase compared to the previous reporting period.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

The distribution of attacks between Telnet and SSH maintained the ratio observed in Q4 2025.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

The primary shifts in the IoT threat distribution are linked to the activity of various Mirai botnet variants, although members of this family continue to account for the majority of the list. Furthermore, a new variant, Mirai.kl, surfaced in the rankings. We also observed a significant decline in NyaDrop botnet activity during Q1.

Attacks on IoT honeypots

The United States, the Netherlands, and Germany accounted for the highest proportions of SSH-based attacks during this period.

Country/territory Q4 2025 Q1 2026 United States 16.10% 23.74% The Netherlands 15.78% 17.57% Germany 12.07% 10.34% Panama 7.72% 6.34% India 5.32% 6.05% Romania 4.05% 5.82% Australia 1.62% 4.61% Vietnam 4.21% 3.50% Russian Federation 3.79% 2.35% Sweden 2.25% 2.09%

China continues to account for the largest proportion of Telnet attacks, though there was a marked increase in activity originating from Pakistan.

Country/territory Q4 2025 Q1 2026 China 53.64% 39.54% Pakistan 14.27% 27.31% Russian Federation 8.20% 8.25% Indonesia 8.58% 6.71% India 4.85% 4.66% Brazil 0.06% 3.30% Argentina 0.02% 2.51% Nigeria 1.22% 1.38% Thailand 0.01% 0.55% Sweden 0.54% 0.55% Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries and territories that served as sources of web-based attacks

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages redirecting to exploits, sites containing exploits and other malicious programs, botnet C&C centers, and so on). One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In Q1 2026, Kaspersky solutions blocked 343,823,407 attacks launched from internet resources worldwide. Web Anti-Virus was triggered by 49,983,611 unique URLs.

Web-based attacks by country/territory, Q1 2026 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Venezuela 9.33 2 Hungary 8.16 3 Italy 7.58 4 Tajikistan 7.48 5 India 7.21 6 Greece 7.13 7 Portugal 7.10 8 France 7.05 9 Belgium 6.83 10 Slovakia 6.80 11 Vietnam 6.62 12 Bosnia and Herzegovina 6.57 13 Canada 6.56 14 Serbia 6.50 15 Tunisia 6.36 16 Qatar 6.01 17 Spain 5.95 18 Germany 5.95 19 Sri Lanka 5.89 20 Brazil 5.88

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 4.73% of users’ computers worldwide were subjected to at least one Malware web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus and include detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.

In Q1 2026, our File Anti-Virus detected 15,831,319 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users whose computers had the File Anti-Virus triggered at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %** 1 Turkmenistan 47.96 2 Tajikistan 31.48 3 Cuba 31.03 4 Yemen 29.59 5 Afghanistan 28.47 6 Burundi 26.93 7 Uzbekistan 24.81 8 Syria 23.08 9 Nicaragua 21.97 10 Cameroon 21.60 11 China 21.09 12 Mozambique 21.02 13 Algeria 20.64 14 Democratic Republic of the Congo 20.63 15 Bangladesh 20.44 16 Mali 20.35 17 Republic of the Congo 20.23 18 Madagascar 20.00 19 Belarus 19.78 20 Tanzania 19.52

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware local threats were detected at least once on 11.55% of users’ computers during Q1.

Russia scored 11.92% in these rankings.

Siri projde radikálním redesignem a stane se plnohodnotným AI asistentem • Bude fungovat jako samostatná aplikace a integruje se do Dynamic Islandu • Systém ji navíc naučí pracovat s osobními daty a obsahem vaší obrazovky