The new approach uses Merkle Tree Certificates (MTCs), developed through the IETF PLANTS working group, to strengthen web security without slowing down the internet.

Why This Is Needed

Quantum computers could one day break today’s encryption methods used in HTTPS.

Post-quantum cryptography already exists, but it creates much larger keys. Larger keys mean:

• Bigger certificate sizes
• Slower TLS handshakes
• Higher bandwidth usage
• Performance issues in traditional X.509 certificate chains

Because of this, Chrome is not adding post-quantum X.509 certificates to its Root Store right now.

What Are Merkle Tree Certificates (MTCs)?

Instead of using large signature chains, MTCs use compact cryptographic proofs.

Here’s how it works:

• A Certification Authority (CA) signs one “Tree Head”
• That Tree Head can represent millions of certificates
• The browser receives only a small proof showing the certificate is included

This keeps security strong while reducing data size.

Key Benefits of MTCs

• Smaller TLS handshakes
• Better performance
• Built-in transparency
• Easier scaling for millions of certificates
• Strong post-quantum protection

Chrome’s Rollout Plan

Chrome is rolling this out in three phases.

Phase 1 (Now Ongoing)
Chrome is working with Cloudflare to test MTCs in real-world conditions. A traditional X.509 certificate is still used as a backup during testing.

Phase 2 (Q1 2027)
Trusted Certificate Transparency log operators will help launch public MTC systems.

Phase 3 (Q3 2027)
Chrome will introduce a new Quantum-Resistant Root Store (CQRS). This will support only MTC-based certificates and run alongside the current root program.

Websites will also have the option to enforce quantum-resistant connections only.

What’s Next

Google sees this as a major step in modernizing TLS.

Future plans include:

• Improved automated certificate management (ACME)
• Better revocation systems to replace old CRLs
• Stronger domain validation methods
• Continuous external monitoring instead of yearly audits

Chrome aims to build a faster, simpler, and quantum-safe web while maintaining compatibility with today’s ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Chrome Introduces Quantum-Safe HTTPS Protection appeared first on First Hackers News.

The vulnerability required no clicks, no extensions, and no user interaction. Simply visiting a malicious website could trigger the attack.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours.

How the Attack Worked

When a developer visited an attacker-controlled website, malicious JavaScript executed in the browser. That script initiated a WebSocket connection directly to the local OpenClaw gateway.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Because the gateway exempted localhost connections from rate limiting, attackers could perform rapid brute-force password attempts — often hundreds per second — significantly increasing the likelihood of bypassing human-created passwords.

Once authentication was successful, the malicious script silently registered itself as a trusted device. This bypassed normal user confirmation prompts and granted persistent access.

From there, the attacker effectively controlled the AI agent and the connected environment.

What Attackers Could Do

With gateway-level access, attackers could:

• Send instructions to the AI agent and retrieve responses
• Access configuration data, including AI providers and integrations
• Enumerate connected nodes and internal IP addresses
• Read logs for operational and reconnaissance insights
• Search Slack or messaging history for API keys and credentials
• Extract sensitive files from the workstation
• Execute shell commands on connected systems

In practical terms, this equated to a full workstation compromise.

This incident highlights a growing cybersecurity concern: shadow AI. Developer-adopted AI tools often operate outside traditional IT visibility while maintaining deep access to local systems, credentials, APIs, and internal communications.

Earlier this year, OpenClaw’s ecosystem also faced issues with malicious community “skills” distributed through its marketplace. However, this newly discovered vulnerability was more severe because it resided in the core gateway architecture itself — not in third-party plugins.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours. Users and organizations must immediately upgrade to version 2026.2.25 or later to mitigate risk.

Beyond patching, enterprises should implement stronger governance, monitoring, and security controls for AI-powered developer tools.

As AI agents gain deeper system access, their compromise no longer represents just an application breach — it represents full environment exposure.

The post OpenClaw Exploit Compromises Developer AI Agents appeared first on First Hackers News.

In such an environment, cybersecurity controls alone are not sufficient.

What determines resilience during conflict is the strength of Business Continuity Planning (BCP) combined with real-time cyber defense operations.

The Shift From Security to Continuity

Traditional cybersecurity focuses on detection and response. During active regional conflict, that approach must evolve into operational resilience.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Business Continuity ensures that critical operations remain functional despite sustained cyber pressure. It defines executive decision authority during crisis, structures communication channels, aligns legal and compliance obligations, and prioritizes recovery timelines based on business impact.

When war tensions escalate, tolerance for downtime disappears. Customers expect uninterrupted service. Regulators expect accountability. Stakeholders expect leadership clarity. Organizations without a tested continuity framework risk turning a cyber incident into a full-scale operational disruption.

Elevated Threat Conditions Require Elevated Readiness

The current regional instability demands a higher defensive posture. This includes continuous monitoring, validated backup integrity, predefined executive escalation paths, and tight coordination between security operations and leadership.

A mature continuity-driven model integrates:

• 24×7 Security Operations and incident management
• Advanced threat detection and correlation
• MITRE ATT&CK–aligned investigations
• Rapid containment and structured recovery
• Executive-level reporting and crisis coordination

Security tools are critical, but without structured continuity alignment, even strong detection capabilities can fall short under sustained attack pressure.

Multi-Platform Security Expertise

Effective resilience requires seamless operation across enterprise ecosystems. i6 brings deep experience across leading SIEM, XDR, and EDR platforms, including Microsoft Sentinel, IBM QRadar, Splunk, ArcSight, Google Chronicle, CrowdStrike Falcon, VMware Carbon Black, Microsoft Defender, and other enterprise-grade technologies.

Our approach reinforces existing security investments while strengthening response coordination and operational stability.

i6 Commitment During the Current Middle East Conflict

In response to the elevated cyber threat landscape created by the ongoing Middle East war tensions, i6 is extending FREE SOC monitoring and Business Continuity reinforcement support to eligible organizations operating within the region.

This initiative reflects our belief that during periods of regional instability, cybersecurity responsibility extends beyond commercial engagement. Operational continuity becomes a shared priority.

Our objective is clear: strengthen detection, accelerate response, and help organizations maintain operational stability despite heightened risk conditions.

Continuity Defines Leadership

Business Continuity is not a document prepared for audits. It is an executive discipline that determines whether an organization absorbs disruption or withstands it.

During the current Middle East environment, resilience is no longer optional. Organizations that remain operational during instability are not necessarily those without incidents. They are those with structured readiness and continuity-driven defense.

At i6, we stand ready to reinforce that resilience when it matters most.

The post i6 — Your Business Continuity Partner During the Ongoing Middle East Conflict appeared first on First Hackers News.

In just twelve days, 1,437 Windows users downloaded a malicious file after visiting a fake Zoom meeting page. What looked like a routine update turned into silent surveillance.

How the Scam Works

The attack begins with a fake domain designed to closely resemble Zoom’s official website.

When opened, the page displays a realistic Zoom waiting room. Fake participants join the meeting one by one. Background sounds and meeting chimes play to create authenticity.

Everything feels normal.

Then a “Network Issue” message appears on the screen.

This is intentional. The warning creates urgency and makes users believe their Zoom session requires a fix.

The Fake Update Trap

Shortly after the “network issue” appears, users see an “Update Available” pop-up.

A countdown timer starts. There is no option to close it.

Within seconds, a file downloads automatically. The page even switches to what looks like a Microsoft Store installation screen for “Zoom Workplace,” reinforcing the illusion.

But the downloaded file is not a Zoom update.

It is a modified Teramind monitoring agent — a legitimate employee surveillance tool — preconfigured to send data to attacker-controlled servers.

Once executed, the installer:

• Runs silently in the background
• Installs under a hidden system directory
• Uses legitimate Teramind binaries
• Avoids detection because the software itself is genuine

The tool operates in stealth mode, meaning no visible icons or program listings appear.

After installation, it begins collecting:

• Keystrokes
• Screens activity
• Application usage
• Clipboard content

It also includes anti-analysis techniques, behaving differently in sandbox or research environments.

Because it uses authentic software components, many antivirus tools fail to immediately flag it.

Why This Attack Is Effective

This campaign does not rely on sophisticated exploits.

It relies on timing and psychology.

Within 30 seconds, victims believe they are simply fixing a Zoom glitch. The interactive design even prevents automated security scanners from easily detecting the malicious behavior.

Instead of building new malware, attackers are misusing trusted corporate monitoring software.

That makes detection harder — and the deception more convincing.

What To Do If You Suspect Infection

If you visited the fake site or downloaded the file:

• Do not run the installer
• Check for unusual hidden folders in the ProgramData directory
• Review active background services for unknown entries
• Change passwords from a clean device
• Contact your IT or security team immediately

Indicators of Compromise (IOCs)

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Fake Zoom Update Infects 1,437 in Days appeared first on First Hackers News.

Security researchers from Cyberthint found that ZeroDayRAT is being sold on Telegram as a Malware-as-a-Service (MaaS). This means even non-technical criminals can subscribe, access a web-based dashboard, and control infected devices remotely.

The infection usually starts with smishing messages — fake SMS alerts pretending to be service providers or app updates. Victims are tricked into installing a malicious Android APK or iOS payload. Once installed, the attacker gains full control through a browser-based control panel.

Through this dashboard, attackers can view device details, monitor messages, track GPS location, and even activate the microphone and camera. The malware also targets financial apps by using clipboard hijacking and fake login overlays to steal credentials. It can intercept OTP codes, allowing criminals to bypass two-factor authentication in real time.

ZeroDayRAT is sold in subscription tiers — $250 per day, $1000 per week, and $3500 per month — and transactions are reportedly handled through escrow services, indicating an organized criminal operation.

What Makes ZeroDayRAT Dangerous

• Real-time GPS tracking and live surveillance
• Remote camera and microphone activation
• Screen recording and keylogging
• Clipboard hijacking for cryptocurrency theft
• Fake login overlays for banking and payment apps
• OTP interception to bypass 2FA
• Easy-to-use browser control panel
• Sold as a subscription service on Telegram

Credibility Concerns

Security analysts say ZeroDayRAT appears to be a real threat, but some details raise questions. In one promotional screenshot, researchers noticed a browser tab labeled “Create USDT Wallet Address,” which looked staged or taken from demo material. This suggests that some features may be exaggerated for marketing.

Even so, the overall capability of the tool reflects a growing shift in cybercrime. Criminals can now rent advanced surveillance kits that were once limited to highly skilled actors. ZeroDayRAT joins other mobile-focused threats like Anatsa, Arsink, and NFCShare that target banking apps, crypto wallets, and everyday mobile behavior.

As mobile malware continues to evolve, users and organizations must stay cautious. Most infections still begin with simple smishing messages or fake app downloads — proving that even small actions can lead to serious compromise.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post ZeroDayRAT Turns Mobile Phones into Spy and Theft Tools appeared first on First Hackers News.

The company credits stronger, multi-layered protections and AI-powered reviews for discouraging attackers from targeting the Play Store in the first place.

Every app submitted to Google Play now goes through more than 10,000 automated and human safety checks before publication, followed by continuous monitoring after it goes live. Google has also added generative AI models to help reviewers detect complex malware, fraud schemes, hidden subscriptions, and misuse of user data.

Privacy, Reviews, and Child Safety – Google malicious apps

Beyond blocking malicious apps, Google strengthened privacy and trust controls across the platform.

Key highlights from 2025:

• 1.75+ million apps rejected for malware, fraud, hidden charges, or data misuse
• 80,000+ bad developer accounts banned
• 255,000 apps restricted from accessing excessive sensitive data
• 160 million fake or abusive ratings and reviews blocked
• Extra protections added to prevent children from accessing high-risk apps

Tools like Play Policy Insights and the Data Safety section help developers fix privacy issues before submission, reducing accidental violations.

On-Device Protection with Play Protect

Security doesn’t stop at the Play Store. Google Play Protect now scans over 350 billion apps daily, including sideloaded apps installed outside the store.

In 2025:

• 27 million new malicious sideloaded apps detected
• Expanded fraud protection to 185 markets (2.8+ billion devices)
• 266 million risky installation attempts blocked
• 872,000 high-risk scam apps stopped
• New in-call scam protection prevents users from disabling Play Protect during social-engineering attacks

How Google Strengthened Play Store Security in 2025

Developers made over 20 billion daily integrity checks using the Play Integrity API to protect apps from abuse and spoofing. Hardware-backed security signals and improved account verification are also being expanded, including limited distribution accounts for students and hobbyists.

Looking ahead, Google plans deeper AI integration, stricter verification, and new Android 16 protections such as built-in defenses against tapjacking.

Together, these measures show Google’s broader strategy: block malicious apps at scale, reduce fraud and privacy abuse, and strengthen trust across the Android ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Google Blocks 1.75 Million Harmful Apps from Play Store in 2025 appeared first on First Hackers News.

Instead of using fixed screen coordinates or simple automation rules, PromptSpy sends Gemini a natural-language request along with an XML snapshot of the current screen. This snapshot includes details about visible elements such as text, type, and screen position.

Gemini analyzes the screen content and responds with JSON instructions telling the malware what action to perform — such as tap, long-press, or swipe — and exactly where to do it.

The main goal is persistence. PromptSpy uses this AI-driven method to keep its malicious app pinned in the Recent Apps list, even when the user tries to close it.

The malware runs in a loop. It executes Gemini’s instructions using Android’s Accessibility Service, captures the updated screen, and sends it back to Gemini. This continues until the AI confirms the app is successfully pinned. Because it relies on AI analysis instead of hardcoded rules, it works across different devices, Android versions, and manufacturer customizations.

Security researchers at ESET describe PromptSpy as the first known Android malware to directly integrate generative AI into its execution flow. The focus is stealthy persistence and maintaining control over the device.

Android AI Malware Capabilities

Beyond AI-based persistence, PromptSpy also acts as a powerful remote access tool.

It includes a built-in VNC component that allows attackers to control the infected phone in real time. Once the victim grants Accessibility permissions, attackers can:

• View the device screen live
• Simulate taps and gestures
• Perform actions as if physically holding the phone

The malware can capture lockscreen credentials, gather device information, take screenshots, record screen activity as video, and monitor which app is currently in use.

It communicates with a hardcoded command-and-control server using the VNC protocol, protected by AES encryption. The server can also send a Gemini API key and additional task instructions to the malware.

PromptSpy also actively blocks removal attempts. It abuses Accessibility permissions to place invisible overlays on important system buttons, including those used to uninstall the app or disable its privileges.

These transparent overlays intercept user taps on “Uninstall” or “Stop,” preventing normal removal.

Technical analysis shows that PromptSpy is delivered through a dropper app. The malicious payload (app-release.apk) is embedded inside the dropper’s assets directory.

Campaign Spread and Target Regions

ESET connects PromptSpy to a multi-stage, financially driven campaign mainly targeting users in Argentina.

An earlier variant, VNCSpy, was uploaded from Hong Kong in January 2026. More advanced PromptSpy samples appeared from Argentina in February 2026.

The malware spread through domains such as mgardownload[.]com and m-mgarg[.]com, which imitated JPMorgan Chase branding under the name “MorganArg” using Spanish banking lures.

Analysis of the same infrastructure revealed another Android phishing trojan signed with the same certificate and using the same fake banking site, likely acting as the initial infection stage before deploying PromptSpy.

Although PromptSpy has not appeared widely in ESET telemetry and may still be in limited testing, the active domains confirm some real-world use.

Code findings, including simplified Chinese debug strings and references to Chinese Accessibility events, suggest development in a Chinese-speaking environment, even though current targets are in Latin America.

PromptSpy is not available on Google Play, and Google Play Protect now detects known variants.

This campaign follows ESET’s 2025 discovery of PromptLock, an AI-powered ransomware prototype, highlighting the growing use of generative AI in malware operations.

IOCs

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post PromptSpy: Android Malware Uses Google Gemini AI appeared first on First Hackers News.

The vulnerability, identified as CVE-2025-15556, impacts the application’s WinGUp updater component. The problem lies in how the software handles updates — it downloads files without properly verifying their authenticity.

How the Attack Could Happen

If an attacker manages to intercept the connection between the application and its update server, they could redirect the request to a malicious server. Instead of installing a legitimate update, the system could unknowingly download and execute a tampered installer.

This type of scenario is commonly known as a man-in-the-middle attack. If exploited successfully, the attacker could run code on the victim’s system with the same permissions as the logged-in user. That could lead to malware installation, data theft, backdoor creation, or long-term system compromise.

CISA has added this issue to its Known Exploited Vulnerabilities (KEV) catalog, signaling heightened risk. Although there is no confirmed link to ransomware campaigns at this time, the inclusion suggests that the flaw is being taken seriously.

Because Notepad++ is widely used by developers, IT teams, and enterprises, the potential impact is broad.Users are strongly advised to apply official updates as soon as they become available.

Organizations should prioritize patch deployment across all systems where Notepad++ is installed and monitor update traffic for unusual behavior.When the update mechanism itself becomes vulnerable, even routine software maintenance can turn into a security risk.

The post Critical Notepad++ Flaw Allows Code Execution, CISA Issues Alert appeared first on First Hackers News.

This method is more dangerous because it uses real security features, like two-factor authentication, against the victim.

How the Phishing Email Looks Legitimate

The attack starts with an email that looks like it was sent by Apple. The message includes official logos, proper formatting, and a clean, professional layout. There are no obvious spelling mistakes or broken designs, which makes it harder to identify as fake.

The subject line is written to create fear and urgency. It usually mentions a costly purchase, such as a MacBook, expensive device, or large gift card transaction. The email claims the transaction has been blocked for security reasons.

Instead of providing a suspicious link, the message tells the user they must verify their identity to prevent account suspension.

The Phone Number Trick (Vishing Stage)

A key difference in this campaign is that victims are told to call a “Billing & Fraud Prevention” phone number. Some emails even claim that a fraud review “appointment” has already been scheduled.

This step is designed to build trust. Many people feel safer calling a number than clicking a link, which is exactly what the attackers want.

When the victim calls, they are connected to a scammer pretending to be an Apple support agent.

The fake support agent follows a prepared script. They speak calmly and professionally. They may confirm basic details like the victim’s name, email, or device type to sound convincing.

The goal here is psychological — the attacker wants the victim to believe they are dealing with a real security team trying to stop fraud.

How the Account Takeover Happens

Once trust is built, the technical part of the attack begins. The scammer attempts to sign in to the victim’s Apple ID on their own device. This triggers a real two-factor authentication (2FA) code sent to the victim’s phone.

The scammer then asks the victim to read the code aloud. They claim it is required to “verify the account,” “cancel the transaction,” or “stop the fraud.” Research highlighted by Malwarebytes shows this tactic is becoming more common.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

If the victim shares the code, they unknowingly give the attacker full access to their account.

With control of the account, scammers can misuse stored payment methods, access digital wallet data, or even lock users out of their own devices. Because the login process used real security steps, victims may not realize they helped the attacker themselves.

Key Warning Signs

• Emails creating urgency about expensive purchases you did not make
• Messages asking you to call a number instead of using official channels
• Anyone asking for your password or verification code

How to Stay Safe

Always verify alerts directly through official apps or websites, not through numbers or links in emails. Never share one-time verification codes with anyone — legitimate support teams will never ask for them.

If you believe you were targeted, immediately change your password, sign out of other sessions, and contact your bank about suspicious activity.

The post Apple Pay Users Hit by Phishing Scam Designed to Harvest Payment Data appeared first on First Hackers News.

The update mainly affects BIG-IP Advanced WAF, NGINX products, and BIG-IP Container Ingress Services. Since these systems often handle incoming application traffic, leaving them unpatched could expose organizations to serious attacks.

All about the vulnerability

BIG-IP Advanced WAF & ASM (CVE-2026-22548)
This flaw affects the Web Application Firewall and Application Security Manager modules on BIG-IP devices. Attackers could potentially bypass security protections or disrupt services. It impacts versions 17.1.0 to 17.1.2, and the fix is included in 17.1.3.

NGINX Vulnerability (CVE-2026-1642)
A major issue was found across the NGINX ecosystem, including NGINX Plus, Open Source, and the Ingress Controller. Because NGINX often runs at the edge of networks as a reverse proxy or load balancer, vulnerable systems could become easy targets. This issue also carries a high severity score.

BIG-IP Container Ingress Services (CVE-2026-22549)
For organizations using Kubernetes or OpenShift, a vulnerability affects Container Ingress Services versions 2.0.0 through 2.20.1. A patched version is available in 2.20.2.

Affected Components

F5 also warned about a configuration risk related to SMTP settings in BIG-IP systems. This isn’t a software bug but could allow misuse if not properly secured. Administrators should review and harden their configurations.

What Organizations Should Do

• Identify all BIG-IP and NGINX systems in use
• Check installed versions against the affected list
• Apply updates as soon as possible
• Review and secure SMTP configurations on BIG-IP devices

Because these products sit at key network entry points, patching them quickly is critical to reducing exposure.

The post Critical Flaws in F5 BIG-IP and NGINX Prompt Urgent Security Patches appeared first on First Hackers News.