Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

Since the print scheduler operates with elevated privileges, it becomes an attractive target for exploitation, especially in environments where print services are exposed over a network.

Remote Code Execution Risk

One of the identified issues enables attackers to execute code remotely on systems that expose shared print queues without authentication. The flaw originates from improper handling of print job inputs, where specially crafted data can bypass validation checks.

By injecting malicious input into print job parameters, an attacker can manipulate how the system processes configurations. This can result in the execution of unauthorized programs through the print service, effectively giving attackers control over the affected machine under the print service context.

This risk is particularly concerning for systems that allow anonymous access to shared printers, as it removes a key barrier to exploitation.

Privilege Escalation to Root

A second vulnerability allows local users with minimal privileges to escalate their access to full system control. This attack leverages weaknesses in how temporary printers are created and validated within the system.

An attacker can trick the system into granting elevated privileges during the printer setup process, then exploit a timing gap to redirect operations toward sensitive system files. By doing so, they can overwrite critical files and gain root-level access.

This type of attack is especially dangerous because it works even in default configurations, meaning no special setup is required beyond initial access to the system.

Security Recommendations

While fixes are in progress, organizations should take immediate precautions. Disabling external access to print services can significantly reduce exposure. Where shared printing is necessary, enforcing authentication is essential.

Additionally, running the print service within security frameworks such as AppArmor or SELinux can help contain potential damage by limiting what the service is allowed to access or modify.

The post CUPS Vulnerabilities: Remote Code Execution and Root Access Risk appeared first on First Hackers News.

Overview of the Findings

The investigation indicates that this activity is directly tied to identifiable user profiles. Given that LinkedIn accounts are built on real-world identities, including professional roles and organizational affiliations, the collected data is inherently non-anonymous and can be mapped to individuals and enterprises.

The report further suggests that the platform can detect a wide range of browser extensions, some of which may indirectly reveal sensitive attributes such as personal interests, behavioral patterns, or professional intent. In particular, the tracking of job-search-related tools introduces a risk of exposing users who are actively exploring new employment opportunities.

Key observations include:

• Alleged system-level scanning without explicit consent mechanisms
• Absence of clear disclosure within publicly available privacy documentation
• Ability to infer sensitive personal and professional information through extension detection
• Monitoring of a large number of job-related tools used by professionals

Such practices, if confirmed, could raise compliance concerns under the General Data Protection Regulation, which imposes strict requirements on the collection and processing of sensitive personal data.

Competitive Intelligence and Market Implications

Beyond individual privacy risks, the report outlines potential implications in the context of competitive intelligence. It alleges that LinkedIn can detect the use of third-party sales and prospecting tools, including platforms such as Apollo, Lusha, and ZoomInfo.

By correlating tool usage with user identities, the platform could theoretically derive insights into competitor adoption, customer segmentation, and enterprise tool preferences. The report also claims that such intelligence has been leveraged in enforcement actions targeting users of external tools.

Notable findings include:

• Detection and monitoring of a broad range of competing commercial tools
• Significant expansion in the number of tracked third-party applications over time
• Use of internal infrastructure, including the “Voyager” API, with limited visibility in regulatory disclosures
• Allegations of targeted actions against users leveraging non-native tools

These concerns intersect with obligations under the Digital Markets Act, under which LinkedIn has been designated as a gatekeeper. While limited APIs were introduced as part of compliance efforts, the report suggests these interfaces are not representative of the platform’s full operational scope.

Use of Tracking Technologies

The investigation also highlights the integration of external tracking mechanisms within LinkedIn’s web environment. It alleges that invisible elements sourced from HUMAN Security are used to deploy cookies without user visibility. Additionally, encrypted scripts associated with Google, along with proprietary fingerprinting techniques, are reported to execute during routine page interactions.

These components are said to operate passively in the background, contributing to continuous data collection without direct user awareness.

Closing Perspective

If substantiated, the findings outlined in the BrowserGate report point to a potentially sophisticated and opaque data collection framework operating within a widely trusted professional platform. The implications extend beyond individual privacy, touching on regulatory compliance, competitive fairness, and transparency in large-scale digital ecosystems.

The post LinkedIn Data Scanning: Hidden Tracking of User Devices Exposed appeared first on First Hackers News.

The extension takes advantage of user curiosity around ads in AI platforms, using a familiar name to appear trustworthy. Once installed, it monitors activity without interrupting the user experience, making it difficult to notice anything unusual.

It captures prompts, responses, and related metadata while continuing to behave like a normal extension on the surface.

Behind the Operation

After installation, the extension runs silently in the background and maintains persistence through scheduled activity. It regularly connects to a remote configuration hosted on GitHub, allowing attackers to change how it behaves without requiring any update from the user side.

When a user visits ChatGPT, the extension injects hidden scripts into the webpage. Instead of performing any ad-blocking function, it extracts the content of the page by removing styling and media elements while preserving the actual text of conversations.

This data is then compiled into a file and transmitted externally through a Discord webhook controlled by the attacker. The process is automated, meaning stolen conversations are continuously delivered without user awareness.

Investigators also observed suspicious activity linked to the developer account behind the extension. After years of inactivity, the account suddenly became active again, shifting focus toward JavaScript-based behavior. The same developer is connected to other AI-related services, raising broader concerns around data exposure.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What This Means for Users

• Conversations on ChatGPT can be silently captured
• Prompts, responses, and session data are exposed
• Data is sent to external servers without visibility
• Remote control allows attackers to modify behavior anytime
• Associated services may carry similar risks

This incident shows how easily malicious tools can blend into everyday usage. Even simple extensions can operate quietly in the background while collecting valuable data.

Being cautious with browser extensions, especially those linked to popular platforms, is essential. Trust should not be based on names or claims alone, but on verified sources and transparency.

The post Malicious “ChatGPT Ad Blocker” Extension Steals User Data appeared first on First Hackers News.

Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

Tracked as CVE-2025-53521, the flaw impacts the Access Policy Manager (APM) component and could allow remote code execution. While detailed technical information has not yet been fully disclosed, the nature of the vulnerability makes it particularly dangerous. BIG-IP devices often sit at the edge of networks, handling authentication, traffic management, and secure application delivery — making them a prime target for attackers seeking initial access.

CISA’s decision to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog is a clear indicator that organizations cannot afford to delay response. This is not a theoretical risk — threat actors are already leveraging it. Historically, similar vulnerabilities in BIG-IP systems have been quickly adopted by both financially motivated attackers and advanced threat groups because compromising these devices can provide deep visibility and control over network traffic.

Why This Vulnerability Matters

What makes this issue more concerning is the potential ease of exploitation. Even without full public disclosure, vulnerabilities that enable remote code execution are often rapidly weaponized. Once exploited, attackers can move laterally across the network, escalate privileges, and potentially access sensitive data.

Edge infrastructure like BIG-IP plays a critical role in enterprise environments. When such systems are compromised, they can act as a gateway for broader attacks. This aligns with a growing trend where attackers focus on perimeter devices rather than traditional endpoints, as these systems offer higher impact with less resistance.

Immediate Actions for Security Teams

Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority security event and respond without delay.

• Apply vendor-provided patches or mitigation steps immediately
• If fixes are unavailable, restrict or temporarily disable affected services
• Continuously monitor logs for unusual administrative actions or configuration changes
• Enforce strict access controls and reduce unnecessary exposure
• Implement network segmentation to limit potential spread after compromise

In addition to these steps, security teams should remain vigilant for evolving attack techniques, as exploitation methods may become more sophisticated over time.

Final Thoughts

The rapid inclusion of CVE-2025-53521 in the KEV catalog highlights an ongoing shift in attacker strategy — targeting critical infrastructure components that sit at the heart of enterprise networks. Organizations must move beyond reactive security and adopt a proactive approach that prioritizes visibility, rapid patching, and strong access controls.

Delaying action in cases like this significantly increases the risk of widespread compromise. For organizations relying on BIG-IP systems, the message is clear: act fast, monitor closely, and assume attackers are already attempting to exploit this weakness.

The post Active Exploitation of F5 BIG-IP Vulnerability Raises Urgency appeared first on First Hackers News.

Announced on March 25, 2026, the vulnerabilities impact both authoritative servers and DNS resolvers, making them a serious concern for organizations relying on BIND 9 for critical network operations. Administrators are strongly advised to apply patches immediately to avoid service disruption or unauthorized access.

CVE Breakdown and Security Impact

The most severe issue, CVE-2026-1519 (CVSS 7.5 – High), can lead to a Denial of Service. It is triggered when a resolver performs DNSSEC validation on a specially crafted zone, causing excessive NSEC3 processing. This results in high CPU usage and significantly reduces the server’s ability to handle queries. While disabling DNSSEC validation can reduce the impact, it is not recommended as it weakens security.

The second issue, CVE-2026-3119 (CVSS 6.5 – Medium), can cause the BIND “named” process to crash. This happens when handling a valid query containing a TKEY record. However, exploitation requires access to a trusted TSIG key already configured on the server. As a temporary measure, administrators should review and remove any unnecessary or potentially compromised TSIG keys.

The third vulnerability, CVE-2026-3591 (CVSS 5.4 – Medium), is related to improper memory handling in SIG(0) processing. A crafted DNS request can lead to incorrect ACL checks, potentially allowing unauthorized access in environments where permissive access rules are used. There are no effective workarounds for this issue, making patching essential.

Affected Versions and Fixes

These vulnerabilities impact multiple BIND 9 versions, including:

• 9.11.0 to 9.16.50
• 9.18.0 to 9.18.46
• 9.20.0 to 9.20.20
• 9.21.0 to 9.21.19

To address these issues, ISC has released patched versions:

• 9.18.47
• 9.20.21
• 9.21.20

Users of the BIND Supported Preview Edition should also apply the relevant S1 patches immediately.

At the time of disclosure, there are no confirmed reports of active exploitation. However, due to the potential impact on DNS infrastructure, organizations should prioritize updates, verify their deployed versions, and ensure proper monitoring to reduce risk.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Critical BIND 9 Vulnerabilities Require Immediate Attention appeared first on First Hackers News.

Researchers observed over 21,000 command-and-control (C2) servers between July and December 2025. Along with this growth, attackers are increasingly using infected devices as residential proxies, not just for DDoS attacks.

This rise also aligns with a surge in massive DDoS campaigns. Reports highlight “hyper-volumetric” attacks, including one reaching 31.4 Tbps, showing how far these botnets have evolved. At the same time, botnet activity has sharply increased after a period of stability, indicating a renewed wave of large-scale operations.

Evolution of Mirai-Based Botnets

Mirai first appeared in 2016, targeting internet-connected devices such as routers and IoT systems that often rely on weak or default credentials. Once compromised, these devices are added to a botnet that can launch high-volume traffic floods across multiple layers.

The public release of Mirai’s source code played a major role in its growth. It allowed attackers to create multiple variants, each adding new capabilities while keeping the core attack techniques intact.

One well-known variant, Satori, rapidly spread by exploiting vulnerabilities in routers, especially through command injection flaws. It used automated scripts to download and execute malware across different device architectures, allowing infections to scale quickly without user interaction.

Expanding Capabilities and Abuse Techniques

Modern Mirai botnets are no longer limited to DDoS attacks. They are now being used in more advanced and flexible ways, increasing their overall impact.

Key capabilities seen in recent campaigns include:

• Large-scale DDoS attacks reaching record-breaking volumes
• Use of infected devices as residential proxy networks
• Automated exploitation of IoT vulnerabilities
• Multi-architecture malware deployment for wider coverage
• Stealthier operations to avoid detection

Aisuru-Kimwolf Expanding DDoS and Proxy Abuse

Newer botnet families like Aisuru and Kimwolf have taken Mirai-based threats to the next level. These botnets are now used not only for massive DDoS attacks but also as residential proxy networks that can be rented for cybercrime activities.

Security reports have linked Aisuru-Kimwolf to extremely large attacks, including one reaching 31.4 Tbps. These attacks often generate massive traffic with billions of packets per second, using random patterns to avoid basic detection and filtering systems.

At the same time, Kimwolf, which targets Android devices, is being used to exploit residential proxy services. Attackers use these networks to access internal systems, infect devices like smart TVs and smartphones, and then sell that access for activities such as fraud and credential stuffing.

Ongoing Threat and Defensive Focus

Law enforcement and tech companies have started taking action against these botnets by targeting their command-and-control infrastructure and disrupting the platforms used to manage proxy networks.

However, these efforts have not fully stopped the threat. Mirai-based botnets continue to survive and grow because many devices remain unpatched, especially routers and Android systems. Attackers can also quickly rebuild their infrastructure after disruptions.

For defenders, the focus should remain on strong basic security practices:

• Keep routers and IoT devices updated
• Monitor unusual outbound traffic
• Secure Android and edge devices
• Track indicators linked to Mirai variants

As these botnets continue to evolve, they are becoming more powerful and more versatile, combining large-scale disruption with stealthy abuse of network access.

The post Mirai Botnets Now Driving DDoS and Proxy Abuse appeared first on First Hackers News.

A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.

The flaws are tracked as CVE-2026-3055 and CVE-2026-4368. One can allow attackers to read sensitive data from memory, while the other may lead to session handling issues and unauthorized access. Both are examples of significant NetScaler vulnerabilities.

Administrators are advised to update affected systems as soon as possible.

Addressing these NetScaler vulnerabilities is crucial for maintaining the security of your network.

What Is CVE-2026-3055?

CVE-2026-3055 is the more serious of the two vulnerabilities. It has a CVSS v4.0 score of 9.3, which makes it critical.

This flaw is caused by improper input validation, which can lead to an out-of-bounds memory read. In simple terms, an attacker may be able to read sensitive information stored in the memory of the appliance.

This issue affects systems only when the NetScaler ADC or Gateway is configured as a SAML Identity Provider (IdP). If SAML IdP is not enabled, the system is not exposed to this specific flaw.

What Is CVE-2026-4368?

The second issue, CVE-2026-4368, is rated high severity with a CVSS v4.0 score of 7.7.

This vulnerability is caused by a race condition. It can result in a session mixup, where one user’s session may be wrongly assigned or exposed to another user. In some situations, this could affect administrative or normal user sessions.

A system is at risk only if it is configured as:

• AAA virtual server
• NetScaler Gateway

Gateway deployments that may be affected include:

• SSL VPN
• ICA Proxy
• Clientless VPN (CVPN)
• RDP Proxy

Affected NetScaler Versions

According to the advisory, the vulnerabilities affect only customer-managed NetScaler environments. Citrix-managed cloud services and Adaptive Authentication are not affected because they are updated automatically.

The impacted versions include:

• NetScaler ADC and Gateway 14.1 before 14.1-66.59 for CVE-2026-3055
• NetScaler ADC and Gateway 14.1-66.54 for CVE-2026-4368
• NetScaler ADC and Gateway 13.1 before 13.1-62.23 for CVE-2026-3055
• NetScaler ADC FIPS and NDcPP before 13.1-37.262 for CVE-2026-3055

Patched Versions

Cloud Software Group recommends upgrading affected systems immediately to the latest secure builds.

The patched versions are:

• 14.1-66.59
• 13.1-62.23
• 13.1-37.262 for FIPS and NDcPP editions

Updating to these versions is the best way to reduce the risk.

How to Check If Your System Is Exposed

Administrators can review their NetScaler configuration files to see whether the vulnerable features are enabled.

To check for exposure to CVE-2026-3055, search for:

• add authentication samlIdPProfile

This helps confirm whether the appliance is configured as a SAML IdP.

To check for exposure to CVE-2026-4368, search for:

• add authentication vserver for AAA virtual servers
• add vpn vserver for Gateway configurations

If these entries are present, the appliance may be exposed depending on how it is configured.

These vulnerabilities are important because they affect systems that often handle authentication, remote access, and sensitive network traffic. A successful attack could expose confidential data or allow session-related abuse.

Organizations using customer-managed NetScaler ADC or Gateway appliances should review their configurations and apply updates without delay.

Final Thoughts

The newly disclosed NetScaler vulnerabilities show why timely patching and configuration review remain critical for network security. Since these flaws can impact sensitive sessions and memory handling, administrators should act quickly to secure affected appliances.

For organizations running exposed NetScaler services, delaying updates could increase the risk of compromise.

The post Critical NetScaler Flaws Put ADC and Gateway Systems at Risk appeared first on First Hackers News.