data exfiltration Archives

AppWizard

March 25, 2026

FBI warns of Russian, Iranian cyber activity involving messaging platforms

The FBI issued alerts regarding cyber campaigns by Russian and Iranian actors targeting messaging platforms. Russian intelligence services are reportedly infiltrating applications like Signal, leading to unauthorized access of thousands of accounts of U.S. government officials, military personnel, political figures, and journalists. Russian operatives are using phishing messages disguised as support notifications to trick users into providing verification codes or account PINs, potentially allowing attackers to take over accounts. Once compromised, attackers can access messages, contact lists, and launch further phishing attempts. The advisory emphasizes that while Signal is targeted, similar tactics can affect any messaging app. In a separate alert, the FBI highlighted Iran’s Ministry of Intelligence and Security (MOIS) using Telegram to distribute malware aimed at Iranian dissidents and journalists, enabling them to steal sensitive information. This malware often disguises itself as legitimate software and connects to Telegram bots for remote access and data exfiltration. The FBI linked these activities to the Handala Hack group, which claimed responsibility for a recent attack on medical device manufacturer Stryker. The malware can be introduced through social media by hackers posing as technical support. Experts note that the use of Telegram for cyber compromises is increasing, as it helps malicious actors avoid detection by blending their traffic with trusted platforms.

Tech Optimizer

March 19, 2026

ClickFix Lures Power LeakNet’s Growing Ransomware Attack Chain

The ransomware group LeakNet has evolved its tactics, increasing its average targets from three per month and shifting from purchasing stolen network access to launching its own campaigns. They now use deceptive error screens and a new tool that executes malicious code in a computer's memory. Their strategy includes ClickFix lures, which compromise legitimate websites to display fake security checks, tricking users into executing malicious commands. This method broadens their victim reach and reduces costs. The Deno loader, part of this strategy, collects machine information and retrieves additional malicious code without leaving standard files, making detection difficult. After infiltrating a network, LeakNet checks for active user credentials and uses PsExec for lateral movement, employing Amazon S3 buckets for payload staging and data exfiltration. Defenders are advised to monitor for suspicious behavior rather than just known malicious files, focusing on unusual web commands and unexpected cloud storage connections.

Winsage

February 26, 2026

PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have developed a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel, identified as CVE-2026-2636, which allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in a Denial of Service. This vulnerability is linked to the Windows Common Log File System (CLFS) driver, specifically the CLFS.sys component, and arises from improper handling of invalid or special elements within CLFS (CWE-159). The PoC demonstrates that a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file without the expected I/O Request Packet (IRP) flags set. This leads to a critical inconsistency in the driver, causing Windows to invoke the kernel routine KeBugCheckEx, which results in a BSoD. The CVE-2026-2636 has a CVSS score of 5.5 (Medium) and poses a high impact on availability, allowing any authenticated user to crash the host reliably. Microsoft addressed this vulnerability in the September 2025 cumulative update, protecting systems running Windows 11 2024 LTSC and Windows Server 2025 by default. However, older or unpatched builds remain vulnerable. Organizations are advised to verify the deployment of the September 2025 updates, prioritize patching multi-user systems, and monitor for unusual spikes in BSoD events.

TrendTechie

February 12, 2026

Хакеры начали активно распространять стилеры на торрентах через популярные игры

Cybersecurity specialists have identified a long-running malware campaign that disguises itself as installers for pirated games, utilizing a malicious component called the RenEngine Loader. This loader operates stealthily, embedding itself within the system while allowing the game to run without disruption, thus evading detection. The campaign has been active since at least April 2025 and primarily targets popular titles from Electronic Arts and Ubisoft, such as Far Cry, FIFA, Need for Speed, and Assassin’s Creed. The malicious code appears as a harmless launcher based on Ren’Py, leading users to believe the installation is normal. Once installed, the loader can facilitate further exploits without immediate data exfiltration. Telemetry has recorded over 400,000 inquiries related to this distribution chain, with an average detection rate of around 5,000 incidents per day, and Russia ranks fourth in these observations.

Winsage

February 11, 2026

Windows shortcut files targeted by ransomware gang Global Group

The Global Group ransomware operates in a mute mode, executing all activities locally on the compromised system without communicating with a command and control server. It generates the encryption key directly on the host machine, meaning no data is exfiltrated despite claims in its ransom note. This method streamlines the attack process, minimizes detection risks, and allows for quicker execution of attacks, targeting more victims while making data exfiltration unnecessary for compelling ransom payments.

Winsage

February 11, 2026

Global Group ransomware gang running new campaign using Windows shortcut files

The Global Group ransomware operates entirely in silent mode, executing all activities locally on the compromised system without relying on a command and control server. It generates the encryption key directly on the host machine, resulting in no actual data exfiltration despite claims in its ransom note. This approach allows for quicker attacks, targeting a broader range of victims while reducing detection risk. The act of encryption alone can compel payment due to significant operational downtime for affected organizations.

Winsage

January 16, 2026

Easterly helms RSAC, Windows update problems, Police Copilot gaffe

Jen Easterly has been appointed as the new Chief Executive Officer of the RSA Conference. She is a cybersecurity expert and former Director of the Cybersecurity and Infrastructure Security Agency (CISA). Palo Alto Networks has released security updates for a vulnerability (CVE-2026-0227) with a CVSS score of 7.7 affecting its GlobalProtect Gateway and Portal, which can cause a denial-of-service condition in PAN-OS software. The January 2026 security update from Microsoft has caused connection and authentication failures in Azure Virtual Desktop and Windows 365, affecting users across various Windows versions. Microsoft is working on a resolution. The chief constable of West Midlands Police acknowledged an error by Microsoft’s Copilot AI in generating a fictional intelligence report. Microsoft has not confirmed Copilot's involvement. Britain’s National Cyber Security Centre (NCSC) has collaborated with Five Eyes partners to provide guidance on securing industrial operational technology, highlighting risks associated with remotely monitored systems. Kyowon, a South Korean conglomerate, confirmed a ransomware attack on January 10 that may have compromised customer information, affecting approximately 5.5 million members. Researchers at Varonis have identified a new attack technique called "Reprompt" that allows data exfiltration from Microsoft Copilot via a malicious link, exploiting a Parameter 2 Prompt (P2P) injection technique. Central Maine Healthcare is notifying over 145,000 patients about a data breach that compromised personal, treatment, and health insurance information, discovered on June 1.

Tech Optimizer

December 18, 2025

Chinese hackers fake Teams downloads in false flag ploy

A cybersecurity investigation by ReliaQuest has revealed that a Chinese state-linked hacking group, Silver Fox (also known as Void Arachne), is using search engine optimization tactics to create a counterfeit Microsoft Teams download site at "teamscn[.]com." This site targets Chinese-speaking users and employs a typo-squatting strategy. Victims attempting to download the software receive a trojanized installer labeled "Setup.exe," which checks for the presence of antivirus software and executes obfuscated PowerShell commands to modify Windows Defender exclusion lists. The malware also drops a file named "Verifier.exe" and installs a functional version of Microsoft Teams to disguise its activities. The compromised system communicates with the domain "Ntpckj[.]com" to deliver the ValleyRAT payload, allowing remote access for data exfiltration and command execution. Silver Fox is linked to both state-sponsored espionage and financially motivated activities, having previously conducted similar SEO poisoning campaigns. The campaign primarily targets Chinese-speaking personnel in global organizations, particularly those with ties to China, and poses a significant risk to organizations lacking robust security measures. Security teams are advised to enhance logging and monitoring practices to detect suspicious activities.

Winsage

December 1, 2025

Microsoft confirms that its new AI agent in Windows 11 hallucinates like every other chatbot and poses security risks to users

Microsoft has introduced agentic AI capabilities for Windows 11 through the 26220.7262 update, aligning with the trend of using large language models to enhance user experiences. The company has warned about potential risks associated with these new features, including the possibility of "hallucinations" and "novel security risks," specifically highlighting a vulnerability known as cross-prompt injection (XPIA). This flaw could allow malicious content to override agent instructions, leading to unintended actions like data exfiltration or malware installation. Microsoft’s move to integrate these AI features reflects a response to competitive pressures in the tech industry, despite the known flaws and security vulnerabilities associated with them.

Winsage

December 1, 2025

Microsoft says AI agents are “risky”, but it’s moving ahead with the plan on Windows 11

Microsoft is integrating AI agents into Windows 11, despite acknowledging risks such as hallucinations, unpredictable behavior, and vulnerabilities to cyber threats like Cross Prompt Injection (XPIA). The company plans to transform every Windows 11 PC into an AI-powered machine by introducing features like Copilot Voice, Copilot Vision, and Copilot Actions. The Windows 11 taskbar will feature a new "Ask Copilot" interface for users to interact with AI agents. These agents will operate under separate accounts with limited permissions, controlled folder access, and tamper-evident logs, but still have access to personal folders like Documents and Downloads. The Agent Workspace is a key feature that allows AI agents to perform tasks in a controlled environment, separate from the user's session. Agents can interact with applications and execute multi-step tasks while being monitored. Microsoft employs the Model Context Protocol (MCP) to regulate agent interactions with applications, ensuring security and proper permissions. Despite concerns over privacy and security, Microsoft believes that integrating AI is essential for keeping Windows competitive. The company has faced backlash over previous features like Recall, which raised privacy issues, and must work to rebuild trust with users. The experimental AI features are currently optional, and Microsoft aims to demonstrate their value to encourage acceptance.