Agregátor RSS

For years, cybersecurity has followed a familiar model: block malware, stop the attack. Now, attackers are moving on to what’s next. Threat actors now use malware less frequently in favor of what’s already inside your environment, including abusing trusted tools, native binaries, and legitimate admin utilities to move laterally, escalate privileges, and persist without raising alarms. Most [email protected]

Apple na podporu domácí výroby vyčlenil 600 miliard dolarů. • Tuto částku rozdělí v příštích čtyřech letech mezi desítky firem. • Teď oznámil, kam poputuje 400 milionů z této sumy.

Google has fixed the fourth Chrome vulnerability exploited in zero-day attacks since the start of the year. [...]

Mezinárodní tým z programu SWAIS2C vyvrtal na Antarktidě dosud největší jádro sedimentů skryté více než pět set metrů pod Západoantarktickým ledovým příkrovem. Projekt s plným názvem Sensitivity of the West Antarctic Ice Sheet to +2 °C se už roky pokouší odhalit, jaké podmínky se nacházejí hluboko ...

Aku šroubovák Worx WX242 koupíte na AliExpressu jen za 690 Kč. • Je kvalitní, má bohaté příslušenství a nabíjí se pomocí USB-C. • Uživatelé k němu nemají prakticky žádné výtky.

ESET says factory outages, lost revenue, and supply chain disruption are becoming routine

Nearly 80 percent of British manufacturers say they've been hit by a cyber incident in the past year, as new research suggests disruption on the factory floor is no longer an exception but business as usual.…

Intel v tichosti vydal nový procesor ze staré řady. Core i7-13645HX přináší podporu rychlejších pamětí a výkonnější integrované GPU, jinak je kopií stávajícího modelu, což znamená zděděný 157W limit…

Markdown je jednoduchý značkovací jazyk pro strukturovaný text. • Je dvacet let starý, jeho oblíbenost nyní roste díky AI. • Je strukturovaný, přehledný a v AI dobře funguje jako vstupní i výstupní formát.

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

IT leaders are setting their operations strategies for 2026 with an eye toward agility, flexibility, and tangible business results. 

Download the January 2026 issue of the Enterprise Spotlight from the editors of CIO, Computerworld, CSO, InfoWorld, and Network World and learn about the trends and technologies that will drive the IT agenda in the year ahead.

Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users. [...]

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement shared with CNBC News. "This was a release packaging issue caused by human error, not a security Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Introduction

In March 2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware‑as‑a‑service) with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available. Most surprisingly, it also includes prankware capabilities: a large set of features designed to trick, annoy, and troll the user. Such a combination of capabilities makes it a rather unique Trojan in its category.

Kaspersky’s products detect this threat as Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, Trojan.Win32.Agentb.gen.

Technical details Background

The new malware was first mentioned in January 2026 in a private Telegram chat for developers of RAT malware. The author actively promoted their creation, called Webcrystal RAT, by attaching screenshots of the web panel. Many users observed that the panel layout was identical to that of the previously known WebRAT (also called Salat Stealer), leading them to label this malware as a copy. Additional similarities included the fact that the RAT was written in Go, and the messages from the bot selling access keys to the control panel closely matched those of the WebRAT bots.

After some time, this malware was rebranded and received a new name, CrystalX RAT. Its promotion moved to a corresponding new channel, which is quite busy and features marketing tricks, such as access key draws and polls. Moreover, it expanded beyond Telegram: a special YouTube channel was created, aimed at marketing promotion and already containing a video review of the capabilities of this malware.

The builder and anti-debug features

By default, the malware control panel provides third parties with an auto‑builder featuring a wide range of configurations, such as selective geoblocking by country, anti‑analysis functions, an executable icon, and others. Each implant is compressed using zlib and then encrypted with ChaCha20 and a hard‑coded 32‑byte key with a 12‑byte nonce. The malware has basic anti‑debugging functionality combined with additional optional capabilities:

• MITM Check: checking if a proxy is enabled by reading the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, blacklisting names of certain processes (Fiddler, Burp Suite, mitmproxy, etc.), and verifying the presence of installed certificates for the corresponding programs
• VM detect: checking running processes, presence of guest tools, and hardware characteristics
• Anti-attach loop: an infinite loop checking the debug flag, debug port, hardware breakpoints, and program execution timings
• Stealth patches: patches for functions such as AmsiScanBuffer, EtwEventWrite, MiniDumpWriteDump

Stealer capabilities

When launched, the malware establishes a connection to its C2 using a hard‑coded URL over the WebSocket protocol. It performs an initial collection of system information, after which all data is sent in JSON format as plain text. Then the malware executes the stealer function, doing so either once or at predefined intervals depending on the build options. The stealer extracts the victim’s credentials for Steam, Discord, and Telegram from the system. It also gathers data from Chromium‑based browsers using the popular ChromeElevator utility. To do this, it decodes and decompresses the utility using base64 and gunzip and saves it to %TEMP%\svc[rndInt].exe, then creates a directory %TEMP%\co[rndInt], where the collected data is stored, and finally runs ChromeElevator with all available options.

The collected data is exfiltrated to the C2. For Yandex and Opera browsers, the stealer has a separate proprietary implementation with base decryption directly on the victim’s system. Notably, the builds created at the time the article was written lack the stealer functionality. OSINT results show that the author intentionally removed it with the aim to update the stealer arsenal before enabling it again.

Keylogger & clipper

Another option of the RAT is the keylogger. All user input is instantly transmitted via WebSocket to the C2, where it is assembled into a coherent text suitable for analysis. Additionally, the malware allows the attacker to read and modify the victim’s clipboard by issuing appropriate commands from the control panel. Moreover, it can inject a malicious clipper into the Chrome or Edge browser. This happens according to the following algorithm:

1. The special malware command clipper:set:[ADDR1,...] with the attackers’ crypto‑wallets addresses passed as arguments launches the clipper injection thread.
2. A %LOCALAPPDATA%\Microsoft\Edge\ExtSvc directory is created (regardless whether Edge or Chrome is the target of the injection), in which a malicious extension is stored, consisting of a manifest and a single JS script named content.js.
3. The content.js script is dynamically generated, containing regular expressions for crypto wallet addresses (such as Bitcoin, Litecoin, Monero, Avalanche, Doge, and others) and substitution values.
4. The generated script is activated via the Chrome DevTools (CDP) protocol using the command Page.addScriptToEvaluateOnNewDocument.

The final script looks as follows:

Remote access

The malware has a large set of commands for remote access to the victim’s system. The attacker can upload arbitrary files, execute any commands using cmd.exe, and also browse the file system, including all available drives. Moreover, the RAT includes its own VNC that allows the attacker to view the victim’s screen and control it remotely. Since both the attacker and the victim use the same session, the panel provides a number of buttons to block user input so that the attacker can perform necessary actions unhindered. The malware can also capture the audio stream from the microphone and the video stream from the camera in the background.

Prank commands

The finishing touch is a separate section of the panel named “Rofl” with commands whose functions consist of various pranks on the victim.

• Setting a background: downloading an image from a specified URL and using it as the desktop background.
• Display orientation: rotating the screen 90°, 180°, or 270°.
• System shutdown: the panel has two different buttons “Voltage Drop” and “BSoD”, but malware analysis shows that both commands perform a regular shutdown using the appropriate utility.
• Remapping mouse buttons: swapping left click with right click and the other way round.
• Peripherals disruption: disconnecting the monitor and blocking the input from the mouse and keyboard.
• Notifications: displaying a window with a custom title and message.
• Cursor shake: a special command starts a loop in which the cursor position changes chaotically at short intervals.
• Disabling components: hiding all file icons on the desktop, disabling the taskbar, task manager, and cmd.exe.

Moreover, the attacker can send a message to the victim, after which a dialog window will open in the system, allowing a bidirectional chat.

Conclusions

The sheer variety of available RATs has perpetuated demand, as actors prioritize flexibility of existing malware and its infrastructure. Thus, CrystalX RAT represents a highly functional MaaS platform that is not limited to espionage capabilities – spyware, keylogging and remote control – but includes unique stealer and prankware features. At the moment, the vector of the initial infection is not precisely known, but it affects dozens of victims. Although to date, we have only seen infection attempts in Russia, the MaaS itself has no regional restrictions meaning it may attack anywhere around the globe. Moreover, our telemetry has recorded new implant versions, which indicates that this malware is still being actively developed and maintained. Combined with the growing PR campaign for CrystalX RAT, it can be concluded that the number of victims can increase significantly in the near future.

Indicators of Compromise

# C2 infrastructure
webcrystal[.]lol
webcrystal[.]sbs
crystalxrat[.]top

# CrystalX RAT implants
47ACCB0ECFE8CCD466752DDE1864F3B0
2DBE6DE177241C144D06355C381B868C
49C74B302BFA32E45B7C1C5780DD0976
88C60DF2A1414CBF24430A74AE9836E0
E540E9797E3B814BFE0A82155DFE135D
1A68AE614FB2D8875CB0573E6A721B46

Nejnižší X3D řešení, mainstreamový Ryzen 5 5500X3D, který byl vydán pouze pro specifické trhy, dorazil do Evropy. Jde o první vlaštovku, nebo jen náhodu?

Microsoft released an emergency update to fix the March 2026 KB5079391 non-security preview update, which was pulled over the weekend due to installation issues. [...]

The regulatory body which last year accused Microsoft of inflating its office software’s license prices when it was run on rival cloud platforms to make those platforms less appealing, said Tuesday it will conduct a further investigation into the company’s entire business software ecosystem.

The probe by the UK’s Competition and Markets Authority (CMA), scheduled to begin in May, follows an  earlier investigation into the UK cloud services marketed by Microsoft and Amazon in which it determined that their dominance had stifled competition and inflated prices.

The strategic market status (SMS) investigation into Microsoft’s business software ecosystem, the CMA’s release said, allows it to act on a major concern emerging from the cloud market investigation: Microsoft’s use of software licensing reducing competition in cloud. “[The investigation] would also provide a route to ensuring a level playing field among providers at a critical moment, as AI-driven innovation reshapes competition in productivity software,” it said.

CMA Chief Executive Sarah Cardell further described the SMS probe as “[a way] to enable us to tackle remaining concerns around Microsoft’s licensing practices in cloud, and would also enable us to ensure a level playing field as AI is rapidly embedded into everyday business software tools.”

Cloud changes allow greater choice

The CMA stated in its release that, as a result of last year’s investigation, Amazon and Microsoft have “set out actions on cloud egress fees and interoperability to support greater choice for businesses and public sector organizations in the UK. These changes will reduce expense and effort for UK customers when using more than one cloud provider.” As a result, the CMA decided not to move forward with a future SMS probe into the companies’ cloud services.

In a blog post announcing the new terms for Azure customers in the UK, Microsoft President Brad Smith wrote, “The changes address the CMA’s commitment to ensuring that UK customers can continue to move, deploy, and operate their workloads in the clouds of their choice with confidence, flexibility, and ever-reduced friction.”

Smith added that Microsoft recognizes that the CMA “will continue to review and assess additional issues relating to our products and services, including in the business software market. We are committed to working quickly and constructively to address these issues, including by providing all the information the CMA needs to move forward with its reviews.”

A welcome move

Matthew Sinclair, senior director and head of the London office of the Computer & Communications Industry Association (CCIA), a group which represents a cross section of communications and technology firms, described the move by the CMA as “welcome news.”

It will, he said, “avoid overly broad and prescriptive interventions that would have impeded investment and innovation in UK cloud services. The regulator can focus its efforts on action to address specific issues, particularly restrictive software licensing terms for legacy software, which are costing UK users a fortune.”

A resilience and digital sovereignty issue

In response to both CMA decisions, Forrester senior analyst Dario Maisto said, “in times of increasing geopolitical volatility, organizations and authorities are reassessing risks coming from dependencies on foreign providers, to improve their digital sovereignty posture.”

He pointed out, “if we consider that Microsoft and AWS own some 70% of the European and UK public cloud market, we can easily understand how emerging sovereignty concerns add to existing concentration risk in a mix that urges action now more than ever.”

According to Maisto, Microsoft’s case is under even more regulatory scrutiny because European and UK organizations have a strong dependency on its productivity suite, regardless of the infrastructure layer.

Over the last two decades, he said, “organizations have grown their Microsoft cloud and solutions deployments under the motto that ‘nobody was ever fired for choosing Microsoft.’ This has resulted in an unparalleled concentration of risk which is further accrued due to what we call the ‘weaponization of IT’ and its relative retaliation counter measures.”

Efforts to boost interoperability and lower egress fees are fine, said Maisto, but the issue of the availability of real alternatives is still there. For example, he pointed out, to date, there is still no equivalent product that allows compatibility with Excel macros. “This is not just a competition problem, but rather a resilience and digital sovereignty issue for any organization with strong dependencies on foreign vendors,” he said. 

This article originally appeared on NetworkWorld.

Anthropic patrně omylem zveřejnil celý zdrojový kód svého CLI nástroje Claude Code prostřednictvím přiloženého sourcemap souboru v npm balíčku. Únik odhalil doposud nijak nezveřejněné funkce jako je například režim v utajení, autonomní agent 'KAIROS', orchestrace multi‑agentů, režim snění nebo dokonce virtuální mazlíček Buddy. Zajímavostí je detekce naštvání uživatele pomocí obyčejného regexpu. Anthropic rychle odstranil sourcemap a vydal opravu, nicméně kopie kódu se již stihly na GitHubu rozšířit mezi prostým lidem.