The extension takes advantage of user curiosity around ads in AI platforms, using a familiar name to appear trustworthy. Once installed, it monitors activity without interrupting the user experience, making it difficult to notice anything unusual.

It captures prompts, responses, and related metadata while continuing to behave like a normal extension on the surface.

Behind the Operation

After installation, the extension runs silently in the background and maintains persistence through scheduled activity. It regularly connects to a remote configuration hosted on GitHub, allowing attackers to change how it behaves without requiring any update from the user side.

When a user visits ChatGPT, the extension injects hidden scripts into the webpage. Instead of performing any ad-blocking function, it extracts the content of the page by removing styling and media elements while preserving the actual text of conversations.

This data is then compiled into a file and transmitted externally through a Discord webhook controlled by the attacker. The process is automated, meaning stolen conversations are continuously delivered without user awareness.

Investigators also observed suspicious activity linked to the developer account behind the extension. After years of inactivity, the account suddenly became active again, shifting focus toward JavaScript-based behavior. The same developer is connected to other AI-related services, raising broader concerns around data exposure.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What This Means for Users

• Conversations on ChatGPT can be silently captured
• Prompts, responses, and session data are exposed
• Data is sent to external servers without visibility
• Remote control allows attackers to modify behavior anytime
• Associated services may carry similar risks

This incident shows how easily malicious tools can blend into everyday usage. Even simple extensions can operate quietly in the background while collecting valuable data.

Being cautious with browser extensions, especially those linked to popular platforms, is essential. Trust should not be based on names or claims alone, but on verified sources and transparency.

The post Malicious “ChatGPT Ad Blocker” Extension Steals User Data appeared first on First Hackers News.

What Is the Issue?

MS-Agent is a lightweight framework used to build autonomous AI agents. One of its built-in features is the Shell tool, which lets the agent run command-line instructions on the operating system.

While this makes the agent powerful, it also creates risk if commands are not properly checked before execution.

Vulnerability details:

• CVE ID: CVE-2026-2256
• Type: Command Injection / Remote Code Execution (RCE)
• Affected Software: ModelScope MS-Agent
• Vulnerable Component: Shell tool (check_safe() method)

How the Attack Works

The problem comes from how MS-Agent validates input. It uses a method called check_safe() that blocks dangerous commands using a denylist.

A denylist only blocks known bad words or patterns. Attackers can bypass this using prompt injection. They hide malicious commands inside normal-looking content such as:

• Documents the AI is asked to summarize
• Code the AI is asked to analyze
• Text that appears harmless

Because denylists can be tricked with alternate spelling, encoding, or different formats, harmful commands can pass through and get executed by the Shell tool.

What Attackers Can Do

If exploited, attackers can execute operating system commands with the same permissions as the MS-Agent process.

This may allow them to:

• Modify or delete system files
• Steal sensitive information
• Install malware or backdoors
• Use the compromised system to attack others

In severe cases, this could result in full system compromise.

Mitigation Steps

There is currently no official patch available. Organizations using MS-Agent should take immediate precautions:

• Deploy MS-Agent only in controlled environments
• Avoid processing untrusted input
• Run agents inside secure sandboxes
• Apply least-privilege access controls
• Replace denylist filtering with strict allowlist validation

Until a patch is released, isolation and strong input validation are essential.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post MS-Agent Flaw Allows Remote Hijacking of AI Agents appeared first on First Hackers News.

The vulnerability required no clicks, no extensions, and no user interaction. Simply visiting a malicious website could trigger the attack.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours.

How the Attack Worked

When a developer visited an attacker-controlled website, malicious JavaScript executed in the browser. That script initiated a WebSocket connection directly to the local OpenClaw gateway.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Because the gateway exempted localhost connections from rate limiting, attackers could perform rapid brute-force password attempts — often hundreds per second — significantly increasing the likelihood of bypassing human-created passwords.

Once authentication was successful, the malicious script silently registered itself as a trusted device. This bypassed normal user confirmation prompts and granted persistent access.

From there, the attacker effectively controlled the AI agent and the connected environment.

What Attackers Could Do

With gateway-level access, attackers could:

• Send instructions to the AI agent and retrieve responses
• Access configuration data, including AI providers and integrations
• Enumerate connected nodes and internal IP addresses
• Read logs for operational and reconnaissance insights
• Search Slack or messaging history for API keys and credentials
• Extract sensitive files from the workstation
• Execute shell commands on connected systems

In practical terms, this equated to a full workstation compromise.

This incident highlights a growing cybersecurity concern: shadow AI. Developer-adopted AI tools often operate outside traditional IT visibility while maintaining deep access to local systems, credentials, APIs, and internal communications.

Earlier this year, OpenClaw’s ecosystem also faced issues with malicious community “skills” distributed through its marketplace. However, this newly discovered vulnerability was more severe because it resided in the core gateway architecture itself — not in third-party plugins.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours. Users and organizations must immediately upgrade to version 2026.2.25 or later to mitigate risk.

Beyond patching, enterprises should implement stronger governance, monitoring, and security controls for AI-powered developer tools.

As AI agents gain deeper system access, their compromise no longer represents just an application breach — it represents full environment exposure.

The post OpenClaw Exploit Compromises Developer AI Agents appeared first on First Hackers News.

How the AI Was Jailbroken

Between December 2025 and January 2026, the attacker used repeated Spanish-language prompts to bypass Claude’s safety controls. By presenting the requests as part of a “bug bounty simulation” and asking the AI to role-play as an elite hacker, the threat actor gradually overcame built-in restrictions.

Once guardrails were bypassed, the AI generated detailed technical outputs that supported the attack lifecycle.

The attacker leveraged AI to:

• Identify vulnerabilities in legacy government systems
• Generate exploit code for SQL injection and network scanning
• Assist with credential stuffing techniques
• Provide structured, step-by-step attack guidance

When Claude reached usage limits, the operator allegedly pivoted to another AI model to continue planning lateral movement and evasion strategies.

The campaign focused on outdated infrastructure and unpatched web applications. Approximately 20 vulnerabilities were exploited, leading to the theft of nearly 150GB of sensitive data, including taxpayer records, voter information, and government employee credentials.

Security researchers noted that the AI significantly lowered the technical barrier required to execute complex attacks, enabling a single operator to conduct a large-scale campaign without advanced infrastructure.

Anthropic has since banned the related accounts and enhanced monitoring mechanisms to detect misuse. While investigations continue, the incident highlights the growing risk of AI-assisted cybercrime and the urgent need for stronger patch management and AI interaction monitoring across government environments.

The post Hacker Manipulates Claude AI to Steal Government Data appeared first on First Hackers News.

Importantly, the attacker did not exploit any new FortiGate vulnerability. Instead, they targeted devices with exposed management ports and weak single-factor credentials. Basic security gaps — combined with AI assistance — allowed a relatively low-skilled actor to operate at large scale.

Amazon assessed that the attacker relied heavily on AI for planning attacks, generating commands, writing custom tools, and organizing operations. When one AI tool failed, another was used as backup. Researchers described the setup as an “AI-powered assembly line” for cybercrime.

How the Attacks Worked

The campaign focused on internet-exposed FortiGate management interfaces on common ports such as 443 and 8443. The attacker scanned for accessible devices and attempted logins using commonly reused credentials. Once inside, full device configurations were extracted, exposing credentials, network details, and VPN access.

After gaining VPN entry, the attacker moved deeper into networks. In several cases, Active Directory environments were compromised and credential databases were stolen. Backup systems were also targeted, suggesting possible ransomware preparation.

Key Post-Compromise Activities

• Extracted FortiGate configuration files and credentials
• Performed DCSync attacks to gain domain-level access
• Used pass-the-hash and NTLM relay for lateral movement
• Scanned networks with tools like Nuclei
• Targeted Veeam backup servers and known vulnerabilities
• Deployed AI-assisted custom reconnaissance tools

Interestingly, when facing hardened environments with proper security controls, the attacker often abandoned the target and shifted to easier victims. This reinforces that the campaign relied on automation and scale rather than advanced exploitation skills.

The compromised organizations were spread across South Asia, Latin America, Northern Europe, West Africa, Southeast Asia, and the Caribbean.

The Bigger Picture

This case highlights a growing trend: AI is lowering the barrier to entry for cybercrime. Tools that once required experienced teams can now be assembled and executed by smaller groups using AI support.

The lesson is clear. Organizations must close exposed management ports, enforce multi-factor authentication, rotate credentials, secure backup infrastructure, and maintain strong patch management.

As AI-assisted attacks increase, strong security fundamentals remain the best defense.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post AI Tools Help Hacker Breach 600+ FortiGate Devices appeared first on First Hackers News.

The company credits stronger, multi-layered protections and AI-powered reviews for discouraging attackers from targeting the Play Store in the first place.

Every app submitted to Google Play now goes through more than 10,000 automated and human safety checks before publication, followed by continuous monitoring after it goes live. Google has also added generative AI models to help reviewers detect complex malware, fraud schemes, hidden subscriptions, and misuse of user data.

Privacy, Reviews, and Child Safety – Google malicious apps

Beyond blocking malicious apps, Google strengthened privacy and trust controls across the platform.

Key highlights from 2025:

• 1.75+ million apps rejected for malware, fraud, hidden charges, or data misuse
• 80,000+ bad developer accounts banned
• 255,000 apps restricted from accessing excessive sensitive data
• 160 million fake or abusive ratings and reviews blocked
• Extra protections added to prevent children from accessing high-risk apps

Tools like Play Policy Insights and the Data Safety section help developers fix privacy issues before submission, reducing accidental violations.

On-Device Protection with Play Protect

Security doesn’t stop at the Play Store. Google Play Protect now scans over 350 billion apps daily, including sideloaded apps installed outside the store.

In 2025:

• 27 million new malicious sideloaded apps detected
• Expanded fraud protection to 185 markets (2.8+ billion devices)
• 266 million risky installation attempts blocked
• 872,000 high-risk scam apps stopped
• New in-call scam protection prevents users from disabling Play Protect during social-engineering attacks

How Google Strengthened Play Store Security in 2025

Developers made over 20 billion daily integrity checks using the Play Integrity API to protect apps from abuse and spoofing. Hardware-backed security signals and improved account verification are also being expanded, including limited distribution accounts for students and hobbyists.

Looking ahead, Google plans deeper AI integration, stricter verification, and new Android 16 protections such as built-in defenses against tapjacking.

Together, these measures show Google’s broader strategy: block malicious apps at scale, reduce fraud and privacy abuse, and strengthen trust across the Android ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Google Blocks 1.75 Million Harmful Apps from Play Store in 2025 appeared first on First Hackers News.

Instead of using fixed screen coordinates or simple automation rules, PromptSpy sends Gemini a natural-language request along with an XML snapshot of the current screen. This snapshot includes details about visible elements such as text, type, and screen position.

Gemini analyzes the screen content and responds with JSON instructions telling the malware what action to perform — such as tap, long-press, or swipe — and exactly where to do it.

The main goal is persistence. PromptSpy uses this AI-driven method to keep its malicious app pinned in the Recent Apps list, even when the user tries to close it.

The malware runs in a loop. It executes Gemini’s instructions using Android’s Accessibility Service, captures the updated screen, and sends it back to Gemini. This continues until the AI confirms the app is successfully pinned. Because it relies on AI analysis instead of hardcoded rules, it works across different devices, Android versions, and manufacturer customizations.

Security researchers at ESET describe PromptSpy as the first known Android malware to directly integrate generative AI into its execution flow. The focus is stealthy persistence and maintaining control over the device.

Android AI Malware Capabilities

Beyond AI-based persistence, PromptSpy also acts as a powerful remote access tool.

It includes a built-in VNC component that allows attackers to control the infected phone in real time. Once the victim grants Accessibility permissions, attackers can:

• View the device screen live
• Simulate taps and gestures
• Perform actions as if physically holding the phone

The malware can capture lockscreen credentials, gather device information, take screenshots, record screen activity as video, and monitor which app is currently in use.

It communicates with a hardcoded command-and-control server using the VNC protocol, protected by AES encryption. The server can also send a Gemini API key and additional task instructions to the malware.

PromptSpy also actively blocks removal attempts. It abuses Accessibility permissions to place invisible overlays on important system buttons, including those used to uninstall the app or disable its privileges.

These transparent overlays intercept user taps on “Uninstall” or “Stop,” preventing normal removal.

Technical analysis shows that PromptSpy is delivered through a dropper app. The malicious payload (app-release.apk) is embedded inside the dropper’s assets directory.

Campaign Spread and Target Regions

ESET connects PromptSpy to a multi-stage, financially driven campaign mainly targeting users in Argentina.

An earlier variant, VNCSpy, was uploaded from Hong Kong in January 2026. More advanced PromptSpy samples appeared from Argentina in February 2026.

The malware spread through domains such as mgardownload[.]com and m-mgarg[.]com, which imitated JPMorgan Chase branding under the name “MorganArg” using Spanish banking lures.

Analysis of the same infrastructure revealed another Android phishing trojan signed with the same certificate and using the same fake banking site, likely acting as the initial infection stage before deploying PromptSpy.

Although PromptSpy has not appeared widely in ESET telemetry and may still be in limited testing, the active domains confirm some real-world use.

Code findings, including simplified Chinese debug strings and references to Chinese Accessibility events, suggest development in a Chinese-speaking environment, even though current targets are in Latin America.

PromptSpy is not available on Google Play, and Google Play Protect now detects known variants.

This campaign follows ESET’s 2025 discovery of PromptLock, an AI-powered ransomware prototype, highlighting the growing use of generative AI in malware operations.

IOCs

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post PromptSpy: Android Malware Uses Google Gemini AI appeared first on First Hackers News.

A recent campaign shows attackers abusing shareable ChatGPT and Grok conversations, then promoting those links through Google Search ads. The goal? Convince macOS users to run Terminal commands that quietly install the Atomic macOS Stealer (AMOS).

This isn’t traditional malware distribution. It’s credibility-based delivery.

The Shift: Malware Hidden Behind Trust

Instead of hosting malware on suspicious domains, attackers are:

• Publishing malicious “how-to” conversations on legitimate AI platforms
• Boosting those pages using Google Ads
• Framing the instructions as helpful troubleshooting steps

For example, a user searching for something harmless like “clear disk space on macOS” may encounter a sponsored AI chat result. The page looks legitimate. The domain is trusted. The instructions appear technical and helpful.

But the recommended Terminal command downloads and executes malicious code.

No fake installer.
No cracked software.
Just copy, paste, and compromise.

The malicious instructions are hosted on legitimate AI domains via public sharing links. That removes the psychological red flag users often rely on.

Paid ads further amplify visibility, placing these AI-hosted pages at the top of search results — sometimes ahead of legitimate support content.

This is social engineering layered with platform trust.

The Target: Cryptocurrency and Browser Data

macOS infostealers like AMOS are part of a growing underground economy. Their primary targets include:

• Saved browser credentials
• Apple Keychain secrets
• Cryptocurrency wallets and seed phrases
• Chrome crypto extensions (over 100 reported targets)
• Wallet-themed phishing tied to brands like Ledger, Trezor, and Exodus

Some operators even advertise affiliate-style revenue sharing for crypto theft, highlighting how organized this ecosystem has become

What defenders should watch for

• Users copying Terminal commands from web pages
• Scripts that download and execute immediately
• Signed apps requesting unexpected permissions
• Unusual outbound traffic to crypto-related infrastructure

The bigger pattern is clear.

Modern macOS attacks don’t rely on obvious red flags anymore.

They rely on trusted platforms, legitimate domains, paid visibility, and signed applications to remove the moment where a user might hesitate.

That’s the shift defenders need to understand.

The post Threat Actors Leverage ChatGPT, Grok, and Google Ads to Deploy macOS AMOS Stealer appeared first on First Hackers News.

Two of the most notable families identified are PromptFlux and QuietVault. These samples highlight how attackers are moving beyond static malware into self-modifying and AI-assisted malware — a trend that has serious implications for defenders. 

1. PromptFlux — Self-Modifying AI Malware 

PromptFlux represents one of the earliest examples of malware that uses an AI model to update its own code on the fly: 

What It Is 

• A VBScript-based dropper that uses API calls to large language models like Google Gemini to generate obfuscated VBScript code. 

• It rewrites itself dynamically, effectively evading static signature detection and making each variant slightly unique. 

How It Works 

• PromptFlux includes a component known as the “Thinking Robot.” 

• This module sends prompts to the AI model asking it to produce obfuscated code that performs the same malicious function but looks different. 

• The malware then writes this regenerated code to the system and uses it for its operations. 

Persistence and Spread 

• The regenerated code is saved to locations such as the Windows Startup folder to ensure it runs after a reboot. 

• It also attempts to copy itself to removable drives (USB) and network shares to spread to other systems. 

Why It’s Dangerous 

• Each run can generate a new variant that signature-based antivirus tools won’t recognize. 

• This makes it significantly harder for traditional detection methods to keep up. 

2. QuietVault — AI-Assisted Credential Stealer 

QuietVault uses AI in a different way — to enhance credential harvesting and token theft. 

What It Is 

• A JavaScript-based malware designed to steal credentials — especially GitHub tokens, NPM authentication tokens, and cloud service secrets. 

• Instead of relying on static routines, it uses available AI tools on the host system (CLI-based AI tools) to expand its search. 

How It Uses AI 

• QuietVault formulates AI prompts that instruct the local AI model to help it search for additional sensitive data on the compromised system. 

• This means the malware is not limited to predefined searches — it can adjust what it’s looking for based on the system context. 

Data Exfiltration 

• Once credentials are collected, they are exfiltrated to attacker-controlled locations, such as public GitHub repositories, making tracking more difficult. 

Additional Emerging AI-Involved Malware 

Beyond these two families, researchers have identified other proofs-of-concept that illustrate similar trends: 

• PromptSteal — Uses AI models to generate advanced reconnaissance commands. 

• FruitShell — A reverse shell that blends malicious traffic with legitimate system processes. 

• PromptLock — A concept ransomware that uses AI to customize encryption logic. (Still experimental 

Why AI-Based Malware Matters 

These malware families highlight a new era of threats: 

Evasion Through Adaptation 

• Malware that rewrites itself at runtime can avoid static detection and slow down security responses. 

Dynamic Behavior 

• Instead of fixed routines, AI-assisted malware can change structure, payloads, or behavior based on system context or attacker goals. 

Automation of Complex Tasks 

• AI enables attackers to automate parts of malware development and execution that previously required manual scripting, reducing operational effort. 

Increased Detection Challenges 

• Traditional indicators of compromise (IOCs), such as file hashes or static code signatures, become less reliable. 

• Behavioral and AI-aware detection methods become essential. 

How Defenders Must Respond 

To defend against these evolving threats, organizations need to rethink detection and response: 

Behavioral Monitoring 

• Look for unusual script activity, unexpected API calls, and dynamic code execution. 

• Watch for frequent code rewrites or execution patterns that change at runtime. 

Memory-Based Detection 

• Since these threats often avoid writing files to disk, detection must include memory behavior analysis. 

AI-Aware Defense 

• Security tools should incorporate AI-aware heuristics capable of understanding anomalous AI model queries or usage patterns within a host. 

Threat Intelligence 

• Organizations must stay current with emerging malware families and indicators published by reputable sources such as Google, Microsoft, and CERTs. 

How 𝗶𝟲 Helps Organizations Defend Against AI-Driven Malware 

Threats like PromptFlux and QuietVault show that attackers are no longer relying on static malware. They are using AI, scripting, memory execution, and legitimate system tools to stay hidden. This means traditional defenses alone are not enough. 

𝗶𝟲 helps organizations prepare for this new generation of threats through: 

Advanced Threat Detection 
Behavior-based monitoring to identify suspicious scripting, abnormal process behavior, and in-memory execution that signature tools may miss. 

Threat Hunting & Intelligence 
Proactive hunting for stealth techniques such as LOLBin abuse, dynamic code execution, and unusual AI or scripting activity within enterprise environments. 

Endpoint & Network Security Hardening 
Strengthening system configurations, reducing attack surfaces, and implementing controls that limit misuse of built-in tools and scripts. 

Incident Response Readiness 
Rapid investigation and containment support when advanced malware activity is suspected, minimizing impact and dwell time. 

Security Strategy for Emerging Threats 
Helping organizations adapt their defenses to modern risks — including AI-assisted malware, fileless attacks, and modular backdoors. 

As malware becomes smarter and more adaptive, defense must become smarter too. 

 
𝗶𝟲 focuses on visibility, behavior, and resilience — the key pillars for stopping modern, stealth-driven attacks. 

Final Thought 

The discovery of PromptFlux and QuietVault represents a paradigm shift in malware development. What was once theoretical — malware that uses AI during execution — is now real. 

This is not a distant future threat. It’s here. And it challenges defenders to move beyond static detection toward adaptive, behavior-centric security models. 

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post The Next Generation of Malware: AI-Enabled and Adaptive Threats  appeared first on First Hackers News.

AI-Driven Phishing Kit

Researchers track the activity using a small but unusual clue: four mushroom emojis hidden inside the text “OUTL.” So far, this marker has been linked to more than 75 separate attack setups.

The attackers collect stolen email usernames and passwords, along with the victim’s IP address and location. This information is then sent to the attackers using Telegram and Discord.

To trick users, the phishing page copies the Outlook login screen and displays prompts in Spanish, making it look legitimate to victims.

After a victim enters their login details, the phishing tool quickly adds extra context to the stolen data. It checks the user’s IP address using api.ipify.org and pulls location details from ipapi.co.

This data collection happens instantly, before the stolen credentials are sent to the attackers.

The campaign shows careful planning. Even though the attackers change how the code is hidden, the way the operation runs stays mostly the same.

Sage Hollow researchers first spotted the activity by noticing the repeated mushroom emoji marker, which helped them trace more related attacks.

Over time, the phishing kit has appeared in multiple versions. Some use heavy obfuscation and anti-analysis tricks, while others are left completely open and resemble AI-generated code. The latest version, disBLOCK.js, uses clean formatting, clear function names, and Spanish comments explaining each step — signs that the code was likely generated with AI rather than written fully by hand.

How the Phishing Kit Works

The phishing tool is designed with separate pieces, keeping its settings away from the main logic. In earlier versions, a file called xjsx.js was used to store Telegram bot details with only basic hiding techniques.

When someone enters their login details on the fake page, the tool runs through a set process. It checks whether the email address is valid, then reaches out to external services to collect IP and location information.

All stolen data is bundled into a standard message format and sent over regular HTTPS connections. The attackers use either Telegram bots or Discord webhooks to receive this information.

Newer samples rely more on Discord webhooks because they work as one-way channels. Even if the link is discovered, past data cannot be viewed.

This setup points to a shared phishing platform, where multiple attackers reuse the same toolkit across different campaigns.

Security Recommendations

• Organizations should enable phishing-resistant MFA on Microsoft accounts to reduce the impact of stolen passwords.
• Email gateways should be tuned to detect look-alike Outlook login pages and block messages that redirect users to external authentication sites.
• Security teams should monitor outbound traffic for suspicious connections to Telegram bot APIs and Discord webhooks, especially from user workstations.
• User awareness remains critical. Employees should be reminded to verify login pages and avoid entering credentials through email links.
• Incident response teams should reset affected credentials immediately and review sign-in logs for abnormal locations and IP addresses.

The post AI-Driven Phishing Kit Targets Microsoft Accounts appeared first on First Hackers News.