Agregátor RSS

Stolen credentials turn authentication systems into the attack surface. Token shows how wearable biometric authentication verifies the user—not the session—blocking phishing relays and MFA bypass. [...]

No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue

Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates.…

Kometu C/2025 R3 nejlépe spatříte mezi čtvrtou a pátou hodinou ranní • Na ranní obloze ji naleznete v oblasti známého souhvězdí Pegasa • Tento objekt naší sluneční soustavou prolétá poprvé a možná i naposledy

Wash your mouth out with digital soap

Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.…

Thursday. Another week, another batch of things that probably should've been caught sooner but weren't. This one's got some range — old vulnerabilities getting new life, a few "why was that even possible" moments, attackers leaning on platforms and tools you'd normally trust without thinking twice. Quiet escalations more than loud zero-days, but the kind that matter more in Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A federal appeals court in Washington has refused to suspend the Pentagon’s supply-chain risk designation against Anthropic, leaving defense contractors with conflicting legal signals over whether they can continue using Claude, and putting the ruling at odds with a separate federal court that reached the opposite conclusion last month.

“The equitable balance here cuts in favor of the government,” a three-judge panel wrote in its order Wednesday. “On one side is a relatively contained risk of financial harm to a single private company. On the other side is judicial management of how, and through whom, the Department of War secures vital AI technology during an active military conflict.”

The panel, comprising Judges Henderson, Katsas, and Rao, acknowledged that Anthropic “will likely suffer some degree of irreparable harm” but found its interests “seem primarily financial in nature” rather than constitutional.

The order states the ruling is not a final decision on the merits. Oral arguments are set for May 19.

Anthropic had asked the US Court of Appeals for the District of Columbia Circuit to pause the supply-chain risk designation issued March 3 by Secretary of War Pete Hegseth.

The label, according to the company’s court filings, bars it from Pentagon contracts and requires defense contractors to stop using Claude in military work. The court denied the request, conflicting with a US District Court in California that granted Anthropic a preliminary injunction on March 26, blocking a parallel designation under a related statute.

Acting Attorney General Todd Blanche called the ruling “a resounding victory for military readiness” in a post on X. “Military authority and operational control belong to the Commander-in-Chief and Department of War, not a tech company,” he wrote.

Vendor risk is no longer predictable

For enterprises, the split ruling creates a compliance problem with no clean answer. The order states the Department has canceled its contracts with Anthropic, begun removing Claude from its systems, and prohibited contractors from using it as a subcontractor on Pentagon work. It also states, however, that “the Department has not prohibited contractors from using Claude for work performed for entities other than the Department.”

That distinction does not resolve the uncertainty. Following the California injunction, the government filed a compliance status report on April 6, cited in legal analysis by Herbert Smith Freehills Kramer, confirming it had restored Anthropic access across federal systems. That compliance applied only to the California statute. The broader D.C. designation remains active.

Sanchit Vir Gogia, chief analyst at Greyhound Research, said enterprises are dealing with vendor risk that their procurement frameworks were not designed to handle. “It means a vendor does not have a single legal status anymore. It can be restricted under one framework and protected under another, at the same time. That is a very different world from the one enterprise procurement teams are used to operating in,” he said.

The timing mismatch compounds the problem, Gogia said. “Legal processes move on their own timelines. Procurement cycles move on to another. Architecture decisions, once made, are not easy to reverse. When those timelines fall out of sync, you end up locked into dependencies that may no longer be viable,” he said.

‘Any lawful use’ shifts governance into the contract

The case has implications beyond Anthropic, Gogia said. The “any lawful use” standard the Pentagon sought to impose is one that the General Services Administration is separately moving to codify across federal AI procurement.

If that happens, governance authority would move from vendor-defined safeguards into contract language, Gogia said. “The contract becomes the final authority, not the platform. Governance is no longer primarily enforced through design. It is enforced through legal agreement,” he said.

Large defense contractors required to operate under such terms will push equivalent requirements down their supply chains, Gogia said, meaning enterprises with no direct Pentagon exposure may still face similar obligations through their partners.

On Anthropic’s refusal to drop its ethical restrictions, he said the question enterprises ultimately ask is “not whether a vendor is ethical, but whether that vendor can remain usable across all the contexts in which the enterprise operates.”

Matt Schruers, CEO of the Computer & Communications Industry Association, which filed an amicus brief in the case alongside ITI, SIIA, and TechNet, said the outcome adds to an already difficult environment. “The Pentagon’s actions and the DC Circuit’s ruling create substantial business uncertainty at a time when US companies are competing with global counterparts to lead in AI,” he said in a statement.

The D.C. court directed both parties to address three unresolved threshold questions before May 19, including whether the court has jurisdiction over Anthropic’s petition at all, according to the order. Anthropic’s opening brief is due April 22. Anthropic did not immediately respond to a request for comment.

Líbí se mi tmavý motiv macOS, ale u některých interních aplikací zase tak dobře nevypadá, případně je méně čitelný. Standardně systém nedovoluje oddělit barevné nastavení softwaru. Existuje však trik, jak toho dosáhnout. Světlý a tmavý Finder Stačí nastavit systému tmavý motiv a jednotlivé ...

Threat actors often signal their intentions before launching attacks, from dark web chatter to access-broker listings and credential requests. Join our upcoming webinar with Flare Systems to learn how to turn those early warning signs into proactive defensive action before an intrusion begins. [...]

Firma Ojective Development vydala svůj nástroj pro monitorování a řízení odchozích síťových připojení Little Snitch i pro operační systém Linux. Linuxová verze se skládá ze tří komponent: eBPF program pro zachytávání provozu a webové rozhraní jsou uvolněny pod GNU GPLv2 a dostupné na GitHubu (převážně Rust a JavaScript), jádro backendu je proprietární pod vlastní licencí, nicméně zdarma k použití a redistribuci (cena přitom normálně začíná na 59€). Balíčky lze stahovat ze stránek Objective Development. (Little Snitch vyžaduje minimálně jádro 6.12 s BTF a momentálně nefunguje se souborovým systémem Btrfs, což má být v příští verzi opraveno.)

Attackers slipped into the process and redirected funds, leaving the company scrambling to recover the cash

UK-listed oil and gas outfit Zephyr Energy plc has admitted a cyber incident siphoned off roughly £700,000 after a single payment to a contractor was quietly redirected to an attacker-controlled account.…

As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility of security teams, bypassing controls and creating new blind spots in what is known as shadow AI. While similar to the phenomenon [email protected]

Adobe’s Shantanu Narayen announced plans to step down as CEO last month after 18 years leading software vendor through several periods of tech change from the arrival of the cloud, mobile computing, and the early days of artificial intelligence.  

For whomever is tapped next for the top job — the search is expected to take several months — the biggest priority will be reshaping Adobe’s products and strategy for the next wave of agentic AI, analysts said.

“Ultimately, Adobe must evolve from a leader in creative tools to the system that connects content, context, and commerce in a world of real-time agentic interactions,” said Gerry Murray, research director at IDC.

Adobe CEO Shantanu Narayen (L) and Judson Althoff, CEO of Microsoft’s commercial business, speak on stage at Microsoft Ignite 2025. 

Microsoft

Narayen’s resignation, will “force the Adobe board to search for a leader who is not just a master of the subscription economy, but a visionary in the ‘agentic’ AI era,” Jim Lundy at Aragon Research said in a blog post last month.   

Adobe’s next CEO inherits a business that’s fundamentally strong, but entering a “more complex phase of execution,” said Maria Bell, senior research analyst at CCS Insight. “Under Shantanu Narayen, the company not only transitioned to a cloud subscription model, but built a highly integrated platform spanning creative, document and marketing workflows. 

“The challenge for his successor is less about transformation and more about proving that Adobe’s AI-led strategy can deliver consistent, long-term growth.” 

Questions about the company’s path ahead come as it prepares for Adobe Connect later this month in Las Vegas. The event runs April 20-22.

Adobe was among the early adopters of generative AI (genAI) with the launch of its Firefly model in March 2023, positioning itself as a commercially safe tool for enterprise customers such as IBM, Pepsi and Mattel to generate content. It later expanded Firefly with the addition of multi-modal AI tools that included video, vector and audio, while embedding Firefly across its software and rolling out GenStudio in 2024 to help businesses manage AI-generated at scale. 

Those moves have yet to reassure investors that the company is on solid footing. Adobe’s stock fell following its latest earnings report, despite seeing better-than-expected revenue and a three-fold year-on-year increase in AI-related sales.

Adobe had 850 million monthly users across Acrobat, Creative Cloud, Express and Firefly, according to its most recent financial results.

The company faces competition from a number of vendors, including Canva and Figma, which also offer creative design tools. It also must contend with AI providers such as OpenAI and Google that enable users to generate content via prompts.

“Adobe is no longer competing only with traditional design tools, but with a broader set of AI-native platforms and ecosystems that are reshaping how content is created and consumed,” said Bell. “This shifts the basis of competition from product capability to accessibility, integration and cost — putting pressure on Adobe’s historical pricing power.”

Although he will remain as chairman of the board, Narayen’s departure adds to the uncertainty around Adobe’s future. 

“While Adobe is currently in a position of strength,” said Lundy, “a leadership change of this magnitude often invites aggressive competitive maneuvers from rivals in the marketing and design tech stacks.” 

The key challenge for any successor will be “balancing Adobe’s professional-grade heritage with the increasing commoditization of creative tools driven by AI,” he said.

The most immediate pressure point for Adobe is its Creative Cloud suite, according to Murray, as competitors threaten Adobe’s dominance in the market. “AI-native tools are collapsing the value of skill, time, and complexity, especially for students and prosumers,” he said. “Adobe will need to rethink pricing and packaging around outputs rather than tools, while dramatically simplifying the user experience.” 

Nevertheless, Adobe retains a “significant structural advantage” in the strength of its product ecosystem and user base, said Bell. “Its tools remain deeply embedded among professional designers and creative teams, supported by a strong community built over decades.”

Another priority will be the need to differentiate its offerings from competitors that rely on similar AI models. This shifts competition away from engineering and towards a go-to-market strategy, Murray said, requiring Adobe to “innovate on pricing, packaging, and partners” to attract and retain users. 

Adobe has made “clear progress” embedding generative AI (genAI) tools across its portfolio, said Bell, but the move towards usage-based models — including generative credits and more flexible access models — “creates uncertainty around pricing, revenue predictability and margin sustainability.

“As such, the priority is moving from feature rollout to monetization discipline,” she said. 

There’s also the prospect that increasingly capable autonomous third-party AI agents could put pressure on Adobe’s margins. While some SaaS-pocalypse concerns are overblown — including the prospect that business customers will vibe-code their own enterprise apps – the emergence of increasingly capable AI agents could push software applications down to an infrastructure layer that agents access on behalf of humans. 

“AI is making it possible to recompose software dynamically, which threatens traditional application-layer value,” said Murray. 

At the same time, he noted that Adobe also has the opportunity to “redefine its moat” around agentic workflows and its ability to connect content and data for smarter automation.

To help Adobe adapt to these ongoing technological shifts, the next CEO will need to appoint a “central authority to align AI product strategy, platform architecture, and partnerships across business units” or lead the charge.

Adobe requires a “robust AI stack,” he said, but will have to find its place in a shifting landscape.  “… Adobe is unlikely to own the enterprise AI control plane, so success will depend on building an open, interoperable stack that integrates with hyperscalers while delivering differentiated value at the application and workflow level,” said Murray.

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Evropský parlament v březnu odmítl prodloužení Chat Control 1.0. Jenže v EU probíhá trialog o Chat Control 2.0, který je svou konstrukcí matoucí. Plošné sledování chatů a e-mailů by explicitně nezavedl, ale služby by k němu stejně nejspíš donutil.

An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX. Two of the targets included prominent Egyptian journalists and government critics, Mostafa Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. [...]

Nizozemský startup hodlá nahradit staré motory novým vodíkovým systémem • Takto upravený letoun díky dlouhému doletu snadno obslouží většinu tras • První zkušební lety a komerční nasazení proběhnou do konce desetiletí

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for “Proxifier”. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments.

By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license.

If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.

The GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you’ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software.

Once launched, the Trojan’s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic.

First, it creates a tiny stub file – only about 1.5 KB in size – in the temp directory under the name “Proxifier<???>.tmp” and runs it. This stub doesn’t actually do anything on its own; it serves as a donor process. Later, a .NET application named “api_updater.exe” is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter.

As soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named “bin.exe”, which runs a PowerShell script using the same method as before.

The script is obfuscated and parts of it are encoded, but it really only performs four specific actions:

• Add the “powershell” and “conhost” processes to Microsoft Defender exclusions.
• Create a registry key at HKLM\SOFTWARE\System::Config and store another Base64-encoded PowerShell script inside it.
• Set up a scheduled task to launch PowerShell with another script as an argument. The script’s task is to read the content of the created registry key, decode it, and transfer control to the resulting script.
• Ping an IP Logger service at https[:]//maper[.]info/2X5tF5 to let the attackers know the infection was successful.

This wraps up the primary stage of the infection. As you can see, the Trojan attempts to use fileless (or bodiless) malware techniques. By executing malicious code directly in allocated memory, it leaves almost no footprint on the hard drive.

The next stage is launched along with the task created in the scheduler. This is what it looks like:

The task launches the PowerShell interpreter, passing the script from the arguments as input. As we already mentioned, it reads the contents of the previously created Config registry key, then decodes and executes it. This is yet another PowerShell script whose job is to download the next script from hardcoded addresses and execute it. These addresses belong to Pastebin-type services, and the content located there is encoded in several different ways at once.

Decoded and deobfuscated script from the Config registry key

The script from Pastebin continues the download chain. This time, the payload is located on GitHub.

Decoded script from Pastebin

It’s a massive script, clocking in at around 500 KB. Interestingly, the bulk of the file is just one long Base64 string. After decoding it and doing some deobfuscation, we end up with a script whose purpose is quite clear. It extracts shellcode from a Base64 string, launches the fontdrvhost.exe utility, injects the shellcode into it, and hands over control.

The shellcode, in turn, unpacks and sets up the code for the final payload. This is classic ClipBanker-like malware, and there’s nothing particularly fancy about it. It’s written in C++, compiled with MinGW, doesn’t bother with system persistence, and doesn’t even connect to the network. Its entire job is to constantly monitor the clipboard for strings that look like crypto wallet addresses belonging to various blockchain-based networks (Cardano, Algorand, Ethereum, Bitcoin, NEM, Stellar, BNB, Cosmos, Dash, Monero, Dogecoin, MultiversX, Arweave, Filecoin, Litecoin, Neo, Osmosis, Solana, THOR, Nano, Qtum, Waves, TRON, Ripple, Tezos, and ZelCash), and then swap them with the attackers’ own addresses.

Here is the full list of replacement addresses:

addr1qxenj0dwefgmp9z4t4dgek3yh3d8cfzcl6u97x2ln8c4nljjv7xdw2u0jhfdy90arm0xr0das4kznrh8qj33dzu8z5fqdtusyt QSAROFQNKPXKKDNK67N5MQY5IQ4MTKGLI65KREVHKW53R2M6WHORP3ME2E 0x97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071 qrherxuw7fupud48l9xwvdcg7w64g8g7xvls9vgqyq bc1q88r38gk8ynrhdfur7yefwf5hrn2y56s90vlrvq 36vf1gvZSxHkRRhAFiH6fotVWYEwH3tk22 14U9sBVDRyEfPgR8h9QJatwtrodey4NeH4 bc1phfm9d0fpqtgr9hkrxx5ww9k2qzww59q5czga95rtmk6vh5h8devsa72fxk btg1qqfrsueknwmg92xrpch22wru0g4ka4p2vum3pdj AcRjmRuDswUeQHtxJnzAn496r9Lo8XQjUK GW9DJpw4mBJnVUWucX3szdH5bXZ9pqzLRF bnb18nqx60dx6dhhsdyddcl0653392w0v4yhx07knl cosmos10zqq0frph0rs36wwjg4r2r5626m6a2dgv3h6nv DskZFNcs5MKg9EdvhAnu87YGzWwVoBvd2tZ Xj3KofSCPq97odR8hiFjfeZs2FqbwUbstk DJYXgJuBrc7cuGn4sgJXz1sdArKURkoWS9 erd14n38wkxm9epjh0s2y8078yqqzy4ztq9ckczy883dwcfgd54peaqs3tp2k2 a2dB176hgduQopnJPrEGjfojRWSHwTS62Q f1qxoyqf3va2mwfbgzah3t7pqe7x5fmdev5dqc25a inj1qw709q8utgjhxrs2cqczhmz2w254dedllzmlef ltc1q4calyk5x5g36ckpsrcr6ndtxdlc0ea9qs4h44n MCB8j9kXkX3f3BoXaBcsDc9RFoki9Kb3AR LhMGEmEGwxcGhCEQ7QmbC1hywRbHbbv6p8 14FBxuV8HEuuWPFoFHbbG4Hm4pa7CqroQiGDeWvZdGiiJm8W osmo10zqq0frph0rs36wwjg4r2r5626m6a2dgy2y297 7ATuKGME8AG9Tz5Qe4eRf1EAwqJNUvYXMiCGmtSbaJXR thor12x0nqpjz2djpuaxm2j2z963sawdcze3nhxacyu EQA28DFYnisowE0e49Sp2DUv6RKQWOJGbvegKWRPXE83bMnQ nano_1j9mjyi4q8qytb1r7yyqntzkyay5xo1wznnwmy9a3p9r371zb3d6wr6xs8y5 QXwbqRnmxgmMZQk5WEvMYEBVzf1MP4eMY9 3P7zSKMhfMPr5kd85xtHNmCx2gi9apCgnSP TNkGLYwtjcSk2A9U8cxJzttGeGEgz56hSP GB4XWREV3WOXWIWFE3DVX3FUNUXLOC7EEGXHZXRUKI5AMZAG3SV7EV4P 46QtL5btfnq85iGrPDFabp4mxGhRbEZJaH67i5LhQsWhCnuiURKVU74QbMpf4TcZqgDnENMWaqhpt82vQSEdyBf4Tp1v8Y9 rKwSuwgNNWn8P8x1ckUopKkErnPW3tVrz9 tz1cPNzMxTsLzV1Gca2VowGgjRm7MkRzGLw5 t1Nwwai9UsQxcgJVVbssnmfjfznhbq2v8ud ZEPHYR2tzMbbkY7CCsShtADqstJLEeZfEiDHQeRchSg8FoqAn2XzsDD8eEEx5cweBQb4jX12DhfPz36c6TD6uV9fPrcFMqwzTn93Y

The complete execution chain, from the moment the malicious installer starts until the ClipBanker code is running, looks like this:

Victims

Since the beginning of 2025, more than 2000 users of Kaspersky solutions have encountered this threat, most of them located in India and Vietnam. Interestingly, 70% of these detections came from the Kaspersky Virus Removal Tool, a free utility used to clean devices that are already infected. This underscores the importance of the preemptive protection: it is often cheaper and easier to prevent the infection than to face consequences of a successful attack.

Conclusion

This campaign is yet another perfect example of the old adage: “buy cheap, pay twice”. Trying to save a buck on software, combined with a lack of caution when hunting for free solutions, can lead to an infection and the subsequent theft of funds – in this case, cryptocurrency. The attackers are aggressively promoting their sites in search results and using fileless techniques alongside a marathon infection chain to stay under the radar. Such attacks are difficult to detect and stop in time.

To stay safe and avoid losing your money, use reliable security solutions that are able to prevent your device form being infected. Download software only from official sources. If for some reason you can’t use a reputable paid solution, we highly recommend thoroughly vetting the sites you use to download software.

Indicators of compromise

URLs
https[:]//pastebin[.]com/raw/FmpsDAtQ
https[:]//snippet[.]host/aaxniv/raw
https[:]//chiaselinks[.]com/raw/nkkywvmhux
https[:]//rlim[.]com/55Dfq32kaR/raw
https[:]//paste.kealper[.]com/raw/k3K5aPJQ
https[:]//git.parat[.]swiss/rogers7/dev-api/raw/master/cpzn
https[:]//pinhole[.]rootcode[.]ru/rogers7/dev-api/raw/master/cpzn
https[:]//github[.]com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
https[:]//gist.github[.]com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz

Hashes
34a0f70ab100c47caaba7a5c85448e3d
7528bf597fd7764fcb7ec06512e073e0
8354223cd6198b05904337b5dff7772b

Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December. [...]