Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

How the Malicious Package Operates

The fake package was uploaded under a seemingly legitimate name and presented as a utility for checking AI tokens. However, several warning signs were overlooked. The documentation was copied from an unrelated project, indicating a lack of authenticity, and the package structure was crafted to appear credible at first glance.

Once installed, the package connects to a remote server hosted on Vercel to fetch additional hidden code. Instead of storing malicious files on disk, it executes payloads directly in memory, making detection significantly harder.

Key behaviors observed:

• Contacts a remote endpoint to download and execute hidden scripts
• Uses obfuscation to hide command-and-control (C2) details
• Executes payloads in memory to bypass traditional security tools
• Disguises itself with legitimate-looking files and dependencies

Even after the main package was removed, related packages from the same source remain active and continue to be downloaded.

Multi-Stage Malware Capabilities

Further analysis revealed that the payload is not a simple script but a modular backdoor with multiple capabilities running in parallel. Each module performs a specific malicious function, allowing attackers to maintain control and extract valuable data.

Core functionalities include:

• Remote access module enabling attackers to control the infected system
• Credential theft targeting browsers and cryptocurrency wallets
• File exfiltration scanning for sensitive documents and configuration files
• Clipboard monitoring to capture copied data such as keys or passwords

The malware uses advanced obfuscation techniques, making it difficult to analyze. Its structure and behavior closely resemble known backdoors, particularly those linked to sophisticated threat campaigns.

Focus on AI Development Environments

The malicious code actively searches for folders linked to widely used AI tools such as Cursor, Claude, Gemini CLI, Windsurf, PearAI, and Eigent. These directories often store API keys, authentication tokens, and even conversation histories.

By extracting this data, attackers can misuse paid AI services, access proprietary code, and potentially pivot deeper into enterprise systems using additional credentials like SSH keys or cloud access tokens.

Key risks include:

• Theft of API keys and AI service tokens
• Exposure of sensitive prompts and development data
• Unauthorized use of paid AI platforms
• Increased risk of broader infrastructure compromise

Detection and Defensive Measures

From a defensive standpoint, visibility into unusual outbound traffic is critical. Monitoring connections to external infrastructure, especially uncommon endpoints, can help identify suspicious package behavior early.

Security teams can also leverage threat hunting techniques to detect patterns associated with multi-process Node.js malware and unusual communication channels such as Socket.IO-based command-and-control traffic.

Recommended actions:

• Monitor and restrict unnecessary outbound network connections
• Watch for abnormal Node.js process activity
• Identify unusual file access in developer environments
• Use threat hunting queries to detect similar attack patterns

Securing Developer Workflows

This campaign reflects a broader trend of supply chain attacks targeting developer ecosystems, particularly those involving AI tools. As these tools become deeply integrated into workflows, they also become high-value targets.

Developers should treat AI-related directories with the same level of sensitivity as critical folders like .ssh or cloud configuration paths. Before installing any package, it is essential to verify its authenticity, review its dependencies, and examine any unusual installation behavior.

Early reporting of suspicious packages and increased awareness within the developer community can significantly reduce the impact of such threats.

IOCs

The post Malicious npm Package Impersonates Gemini to Steal AI Tokens appeared first on First Hackers News.

Since the print scheduler operates with elevated privileges, it becomes an attractive target for exploitation, especially in environments where print services are exposed over a network.

Remote Code Execution Risk

One of the identified issues enables attackers to execute code remotely on systems that expose shared print queues without authentication. The flaw originates from improper handling of print job inputs, where specially crafted data can bypass validation checks.

By injecting malicious input into print job parameters, an attacker can manipulate how the system processes configurations. This can result in the execution of unauthorized programs through the print service, effectively giving attackers control over the affected machine under the print service context.

This risk is particularly concerning for systems that allow anonymous access to shared printers, as it removes a key barrier to exploitation.

Privilege Escalation to Root

A second vulnerability allows local users with minimal privileges to escalate their access to full system control. This attack leverages weaknesses in how temporary printers are created and validated within the system.

An attacker can trick the system into granting elevated privileges during the printer setup process, then exploit a timing gap to redirect operations toward sensitive system files. By doing so, they can overwrite critical files and gain root-level access.

This type of attack is especially dangerous because it works even in default configurations, meaning no special setup is required beyond initial access to the system.

Security Recommendations

While fixes are in progress, organizations should take immediate precautions. Disabling external access to print services can significantly reduce exposure. Where shared printing is necessary, enforcing authentication is essential.

Additionally, running the print service within security frameworks such as AppArmor or SELinux can help contain potential damage by limiting what the service is allowed to access or modify.

The post CUPS Vulnerabilities: Remote Code Execution and Root Access Risk appeared first on First Hackers News.

Overview of the Findings

The investigation indicates that this activity is directly tied to identifiable user profiles. Given that LinkedIn accounts are built on real-world identities, including professional roles and organizational affiliations, the collected data is inherently non-anonymous and can be mapped to individuals and enterprises.

The report further suggests that the platform can detect a wide range of browser extensions, some of which may indirectly reveal sensitive attributes such as personal interests, behavioral patterns, or professional intent. In particular, the tracking of job-search-related tools introduces a risk of exposing users who are actively exploring new employment opportunities.

Key observations include:

• Alleged system-level scanning without explicit consent mechanisms
• Absence of clear disclosure within publicly available privacy documentation
• Ability to infer sensitive personal and professional information through extension detection
• Monitoring of a large number of job-related tools used by professionals

Such practices, if confirmed, could raise compliance concerns under the General Data Protection Regulation, which imposes strict requirements on the collection and processing of sensitive personal data.

Competitive Intelligence and Market Implications

Beyond individual privacy risks, the report outlines potential implications in the context of competitive intelligence. It alleges that LinkedIn can detect the use of third-party sales and prospecting tools, including platforms such as Apollo, Lusha, and ZoomInfo.

By correlating tool usage with user identities, the platform could theoretically derive insights into competitor adoption, customer segmentation, and enterprise tool preferences. The report also claims that such intelligence has been leveraged in enforcement actions targeting users of external tools.

Notable findings include:

• Detection and monitoring of a broad range of competing commercial tools
• Significant expansion in the number of tracked third-party applications over time
• Use of internal infrastructure, including the “Voyager” API, with limited visibility in regulatory disclosures
• Allegations of targeted actions against users leveraging non-native tools

These concerns intersect with obligations under the Digital Markets Act, under which LinkedIn has been designated as a gatekeeper. While limited APIs were introduced as part of compliance efforts, the report suggests these interfaces are not representative of the platform’s full operational scope.

Use of Tracking Technologies

The investigation also highlights the integration of external tracking mechanisms within LinkedIn’s web environment. It alleges that invisible elements sourced from HUMAN Security are used to deploy cookies without user visibility. Additionally, encrypted scripts associated with Google, along with proprietary fingerprinting techniques, are reported to execute during routine page interactions.

These components are said to operate passively in the background, contributing to continuous data collection without direct user awareness.

Closing Perspective

If substantiated, the findings outlined in the BrowserGate report point to a potentially sophisticated and opaque data collection framework operating within a widely trusted professional platform. The implications extend beyond individual privacy, touching on regulatory compliance, competitive fairness, and transparency in large-scale digital ecosystems.

The post LinkedIn Data Scanning: Hidden Tracking of User Devices Exposed appeared first on First Hackers News.

If attackers are able to crash the device or change its configuration, it can disrupt monitoring and create security gaps. This makes it important for users to install the latest firmware updates as soon as possible.

Multiple Memory Handling Flaws

Several vulnerabilities were discovered in how the camera processes incoming data. These issues are mainly related to improper validation of HTTP requests and video stream inputs.

Because the system does not correctly check data size limits, an attacker on the same network can send specially crafted inputs that overflow memory and cause instability.

The identified issues include:

• CVE-2026-34118: Weak validation in HTTP POST request handling after memory allocation
• CVE-2026-34119: Improper handling of segmented HTTP request data without boundary checks
• CVE-2026-34120: Insecure processing of video stream inputs leading to overflow
• CVE-2026-34122: Stack-based overflow caused by oversized configuration values
• CVE-2026-34124: Path expansion issue where processed request paths exceed memory limits

These vulnerabilities can lead to memory corruption, causing the device to freeze, crash, or reboot, resulting in denial-of-service conditions.

Authentication Bypass – Critical Risk

The most severe issue in this set is an authentication bypass vulnerability.

• CVE-2026-34121: Allows attackers to bypass login checks

This flaw exists due to inconsistent validation during request processing. An attacker can craft a request that combines permitted and restricted actions, tricking the system into skipping authentication.

As a result, unauthorized users can execute restricted commands and modify device settings without logging in.

Impact and Risk

All these vulnerabilities carry high severity scores, with most rated around 7.1 and the authentication bypass reaching a higher critical score.

These issues are especially dangerous because they can be exploited by attackers on the same network, making local access a key risk factor.

Older or unpatched devices are more vulnerable, particularly those running firmware versions earlier than 1.2.4 Build 260326 Rel.24666n.

What Users Should Do

• Update the device firmware to the latest available version immediately
• Use the Tapo app or device interface to check for updates
• Avoid running outdated firmware on security devices
• Regularly review and maintain IoT device security

Applying updates ensures that these vulnerabilities are patched and reduces the risk of unauthorized access or service disruption.

Final Thoughts

This case highlights an important reality: even security devices can become weak points if not properly maintained.

Keeping firmware up to date is one of the simplest and most effective ways to protect your network and ensure your surveillance systems remain reliable.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post TP-Link Tapo Camera Vulnerabilities Put Devices at Risk appeared first on First Hackers News.

The extension takes advantage of user curiosity around ads in AI platforms, using a familiar name to appear trustworthy. Once installed, it monitors activity without interrupting the user experience, making it difficult to notice anything unusual.

It captures prompts, responses, and related metadata while continuing to behave like a normal extension on the surface.

Behind the Operation

After installation, the extension runs silently in the background and maintains persistence through scheduled activity. It regularly connects to a remote configuration hosted on GitHub, allowing attackers to change how it behaves without requiring any update from the user side.

When a user visits ChatGPT, the extension injects hidden scripts into the webpage. Instead of performing any ad-blocking function, it extracts the content of the page by removing styling and media elements while preserving the actual text of conversations.

This data is then compiled into a file and transmitted externally through a Discord webhook controlled by the attacker. The process is automated, meaning stolen conversations are continuously delivered without user awareness.

Investigators also observed suspicious activity linked to the developer account behind the extension. After years of inactivity, the account suddenly became active again, shifting focus toward JavaScript-based behavior. The same developer is connected to other AI-related services, raising broader concerns around data exposure.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What This Means for Users

• Conversations on ChatGPT can be silently captured
• Prompts, responses, and session data are exposed
• Data is sent to external servers without visibility
• Remote control allows attackers to modify behavior anytime
• Associated services may carry similar risks

This incident shows how easily malicious tools can blend into everyday usage. Even simple extensions can operate quietly in the background while collecting valuable data.

Being cautious with browser extensions, especially those linked to popular platforms, is essential. Trust should not be based on names or claims alone, but on verified sources and transparency.

The post Malicious “ChatGPT Ad Blocker” Extension Steals User Data appeared first on First Hackers News.

These applications worked as expected, which helped them avoid suspicion and gain user trust. Before they were removed, they reached over 2.3 million downloads, exposing a large number of users.

The campaign mainly targets older Android devices by exploiting 22 known vulnerabilities that were originally patched between 2016 and 2021. Devices running outdated versions, especially Android 7 and below, are at the highest risk because they no longer receive security updates.

Stealthy Entry Through Legitimate Apps

The attack begins when a user installs one of the infected apps and opens it. Everything appears normal, but hidden code is triggered in the background during the app’s startup process.

To remain undetected, these apps request minimal permissions and include common frameworks like Firebase, analytics tools, and social SDKs. This helps them blend in with legitimate applications.

The initial malicious payload is hidden inside what looks like a normal image file. In reality, the image contains encrypted data attached to it. Once executed, the app extracts and decrypts this payload directly in memory, leaving very little trace behind.

The malware then runs a series of checks to avoid detection. It looks for emulators, debugging tools, VPNs, proxies, and even uses geofencing to skip certain regions. Only after passing these checks does it connect to its command-and-control server.

Modular Payload and Deep System Control

After connecting to its server, the malware downloads additional components disguised as harmless files. These components are customized based on the infected device.

It collects detailed information such as device model, kernel version, installed apps, and security patch level. Based on this, it selects the most effective exploit to gain control.

Once successful, the attackers gain root access and disable important security protections like SELinux. The rootkit then embeds itself into the system by modifying critical libraries, allowing it to inject malicious code into every app running on the device.

On older devices, this level of access allows the malware to survive even after a factory reset.

WhatsApp Session Hijacking

One of the most serious capabilities of this campaign is targeting WhatsApp.

When WhatsApp is opened, the malware extracts sensitive data, including encrypted databases and key identifiers used by the app. It also collects information such as phone number, country code, and account details.

This data is sent to attacker-controlled servers using encrypted communication that mimics legitimate traffic. With this information, attackers can clone or hijack the victim’s WhatsApp session on another device.

Infrastructure and Evasion Techniques

NoVoice uses a segmented infrastructure where different servers handle different tasks like device tracking, payload delivery, exploit hosting, and command execution.

It also uses cloud services to host its payloads, allowing attackers to quickly change servers if any part of the operation is detected. This makes the campaign more resilient and harder to shut down completely.

The techniques used in this campaign show similarities with previously known Android malware, especially in how it injects code into system processes and maintains persistence.

Who Is Most at Risk

Devices running newer Android versions with updated security patches are not affected by the specific exploits used in this campaign. However, they may still be exposed to other malicious components.

Older and unsupported devices remain the most vulnerable. Since they no longer receive updates, they continue to be exposed to known security flaws that attackers can exploit.

Final Thoughts

The NoVoice campaign is a strong reminder that even official app stores are not completely safe from advanced threats.

It also highlights the risks of using outdated devices. Keeping systems updated, being cautious with app installations, and using mobile security tools are essential steps to reduce exposure to such attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post NoVoice: A Silent Rootkit Campaign Targeting Android Users appeared first on First Hackers News.

Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

That brief moment is exactly why this “three-finger test” has gone viral. It reveals something important: even advanced deepfake systems still struggle under certain real-time conditions.

What’s Really Happening in That Viral Clip

At first, the video seems like a normal interaction. The person responds naturally, maintains eye contact, and appears authentic. But when the hand moves in front of the face, the illusion begins to break.

This happens because most live deepfake systems depend on continuously tracking facial features. When those features are partially blocked, the system briefly loses its reference points. The result is a visual inconsistency that the human eye can catch — even if only for a second.

That one second is enough to raise suspicion.

Why This Simple Trick Works

The effectiveness of this trick lies in how it disrupts the assumptions deepfake systems rely on. These systems expect a relatively stable, visible face to maintain accuracy. A sudden, close-range hand movement changes that completely.

Here’s why it works so well right now:

• It introduces unpredictability into a controlled system
• It blocks key facial landmarks needed for tracking
• It forces real-time recalculation under time pressure
• It exposes weaknesses in rendering hands and motion together

Each of these factors increases the chances of visible glitches.

Why Fingers Are a Problem for AI

Hands are one of the most complex parts of the human body to replicate digitally. Fingers bend, overlap, and change shape depending on angle and movement.

When this complexity is added in front of a moving face, the system has to process both occlusion and motion at once. This is where errors start to appear — and where the illusion becomes fragile.

Why This Matters More Than It Seems

This isn’t just a social media trick. It highlights a growing security concern.

Deepfake technology is already being used in:

• Fraud attempts during video-based verification
• Impersonation in business communication
• Social engineering attacks targeting employees

In these scenarios, trust is built visually. If something looks real, it is often accepted as real. That’s what makes live deepfakes dangerous.

The viral video is a reminder that even simple interactions can challenge that trust.

Not a Perfect Solution — But a Useful Signal

While the three-finger test works today, it should not be treated as a guaranteed detection method. Deepfake systems are improving quickly, and future versions may handle these situations more smoothly.

Still, the idea behind it is powerful: introduce real-time, unexpected actions that are hard for AI to predict.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The Bigger Takeaway

The real lesson from this viral moment is not just about fingers or gestures. It’s about how we verify identity in a world where visuals can no longer be trusted completely.

Small, human-driven checks can sometimes reveal what advanced systems try to hide.

Closing Thoughts

The “three-finger” trick became popular because it is simple, visual, and surprisingly effective. It shows that even the most convincing deepfake can break under the right conditions.

But as technology evolves, detection will need to evolve with it.

Because in the near future, the challenge will not be spotting what looks fake — but questioning what looks real.

The post The Viral “Three-Finger” Test — A Simple Trick Exposing Deepfake Live Calls appeared first on First Hackers News.

The upcoming India CCTV ban is a significant development in the country’s surveillance landscape.

This move comes as part of stricter cybersecurity regulations aimed at reducing risks linked to foreign hardware in sensitive environments. The government now requires all internet-connected CCTV and related devices to meet new certification standards before they can be sold in the country.

At the center of this change is a push for stronger control over hardware security. Devices must clearly disclose where their core components come from and pass strict testing checks. Products that fail to meet these requirements will not be allowed in the Indian market.

What This Means for the Market

The new rules are already reshaping the surveillance industry in India, with local brands gaining a strong advantage. Companies like CP Plus and Qubo have adapted quickly by changing their supply chains and focusing on compliant components.

Key changes include:

• Shift towards locally manufactured or approved hardware
• Reduced reliance on Chinese chipsets and components
• Increased focus on secure communication and regular updates
• Strong growth of “Make in India” surveillance products

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

This transition has helped domestic brands capture a major share of the market, while global players now operate mostly in niche or premium segments.

However, the shift also comes with some impact on pricing and availability. Replacing low-cost components and meeting compliance standards has pushed up costs, especially for mid-range and high-end systems.

For many cybersecurity experts, this is a necessary step toward better data protection and infrastructure security. At the same time, some concerns remain about long-term performance and how quickly local manufacturers can scale without compromising quality.

Overall, the move signals a clear direction — tighter control, stronger security, and reduced dependence on foreign surveillance technology.

The post India Tightens Rules on CCTV and Network Devices appeared first on First Hackers News.