With this approach, users will no longer have to depend on shared cloud storage limits. Instead, WhatsApp aims to provide its own storage environment specifically built for messaging data. This is especially important as chat backups today include large files like high-resolution images, videos, and voice notes, which quickly consume available space.

All data stored in this system will be protected with end-to-end encryption by default. This means that messages remain private, and even WhatsApp itself cannot access the content. By keeping backups encrypted at all times, the platform is aiming to reduce the risk of unauthorized access or data exposure.

Enhanced Security with Passkeys

To strengthen protection further, WhatsApp is planning to introduce passkey-based authentication for backup access. Instead of using traditional passwords or long encryption keys, users will be able to unlock their backups using biometric methods such as fingerprint or facial recognition.

This makes the process both simpler and more secure. The authentication is tied directly to the user’s device, which reduces the risk of attacks like phishing, credential theft, or brute-force attempts. The passkey is securely stored and can sync across trusted devices, allowing users to restore backups without needing to remember complex credentials.

At the same time, WhatsApp is expected to keep alternative options available. Users who prefer using passwords or encryption keys will still have that choice, ensuring flexibility for different security preferences.

Storage Options and Rollout Plans

The upcoming system is also expected to introduce dedicated storage plans for backups. Early expectations suggest a small free storage tier for basic use, along with larger paid options for users who need more capacity. This would allow users to manage their backup storage without affecting their personal cloud accounts.

Despite this shift, WhatsApp is likely to continue supporting third-party backups for users who prefer their current setup. This ensures a smoother transition without forcing immediate changes.

The feature is still in development and has not yet been released publicly. It is expected to go through multiple testing phases to ensure stability, security, and compatibility with existing systems before a wider rollout begins.

This move reflects a broader industry trend toward building self-contained ecosystems that prioritize privacy, security, and better control over user data, rather than relying entirely on external platforms.

The post WhatsApp Tests Safer Cloud Backup for Messages appeared first on First Hackers News.

The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

The new approach uses Merkle Tree Certificates (MTCs), developed through the IETF PLANTS working group, to strengthen web security without slowing down the internet.

Why This Is Needed

Quantum computers could one day break today’s encryption methods used in HTTPS.

Post-quantum cryptography already exists, but it creates much larger keys. Larger keys mean:

• Bigger certificate sizes
• Slower TLS handshakes
• Higher bandwidth usage
• Performance issues in traditional X.509 certificate chains

Because of this, Chrome is not adding post-quantum X.509 certificates to its Root Store right now.

What Are Merkle Tree Certificates (MTCs)?

Instead of using large signature chains, MTCs use compact cryptographic proofs.

Here’s how it works:

• A Certification Authority (CA) signs one “Tree Head”
• That Tree Head can represent millions of certificates
• The browser receives only a small proof showing the certificate is included

This keeps security strong while reducing data size.

Key Benefits of MTCs

• Smaller TLS handshakes
• Better performance
• Built-in transparency
• Easier scaling for millions of certificates
• Strong post-quantum protection

Chrome’s Rollout Plan

Chrome is rolling this out in three phases.

Phase 1 (Now Ongoing)
Chrome is working with Cloudflare to test MTCs in real-world conditions. A traditional X.509 certificate is still used as a backup during testing.

Phase 2 (Q1 2027)
Trusted Certificate Transparency log operators will help launch public MTC systems.

Phase 3 (Q3 2027)
Chrome will introduce a new Quantum-Resistant Root Store (CQRS). This will support only MTC-based certificates and run alongside the current root program.

Websites will also have the option to enforce quantum-resistant connections only.

What’s Next

Google sees this as a major step in modernizing TLS.

Future plans include:

• Improved automated certificate management (ACME)
• Better revocation systems to replace old CRLs
• Stronger domain validation methods
• Continuous external monitoring instead of yearly audits

Chrome aims to build a faster, simpler, and quantum-safe web while maintaining compatibility with today’s ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Chrome Introduces Quantum-Safe HTTPS Protection appeared first on First Hackers News.

The vulnerability required no clicks, no extensions, and no user interaction. Simply visiting a malicious website could trigger the attack.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours.

How the Attack Worked

When a developer visited an attacker-controlled website, malicious JavaScript executed in the browser. That script initiated a WebSocket connection directly to the local OpenClaw gateway.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Because the gateway exempted localhost connections from rate limiting, attackers could perform rapid brute-force password attempts — often hundreds per second — significantly increasing the likelihood of bypassing human-created passwords.

Once authentication was successful, the malicious script silently registered itself as a trusted device. This bypassed normal user confirmation prompts and granted persistent access.

From there, the attacker effectively controlled the AI agent and the connected environment.

What Attackers Could Do

With gateway-level access, attackers could:

• Send instructions to the AI agent and retrieve responses
• Access configuration data, including AI providers and integrations
• Enumerate connected nodes and internal IP addresses
• Read logs for operational and reconnaissance insights
• Search Slack or messaging history for API keys and credentials
• Extract sensitive files from the workstation
• Execute shell commands on connected systems

In practical terms, this equated to a full workstation compromise.

This incident highlights a growing cybersecurity concern: shadow AI. Developer-adopted AI tools often operate outside traditional IT visibility while maintaining deep access to local systems, credentials, APIs, and internal communications.

Earlier this year, OpenClaw’s ecosystem also faced issues with malicious community “skills” distributed through its marketplace. However, this newly discovered vulnerability was more severe because it resided in the core gateway architecture itself — not in third-party plugins.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours. Users and organizations must immediately upgrade to version 2026.2.25 or later to mitigate risk.

Beyond patching, enterprises should implement stronger governance, monitoring, and security controls for AI-powered developer tools.

As AI agents gain deeper system access, their compromise no longer represents just an application breach — it represents full environment exposure.

The post OpenClaw Exploit Compromises Developer AI Agents appeared first on First Hackers News.

In such an environment, cybersecurity controls alone are not sufficient.

What determines resilience during conflict is the strength of Business Continuity Planning (BCP) combined with real-time cyber defense operations.

The Shift From Security to Continuity

Traditional cybersecurity focuses on detection and response. During active regional conflict, that approach must evolve into operational resilience.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Business Continuity ensures that critical operations remain functional despite sustained cyber pressure. It defines executive decision authority during crisis, structures communication channels, aligns legal and compliance obligations, and prioritizes recovery timelines based on business impact.

When war tensions escalate, tolerance for downtime disappears. Customers expect uninterrupted service. Regulators expect accountability. Stakeholders expect leadership clarity. Organizations without a tested continuity framework risk turning a cyber incident into a full-scale operational disruption.

Elevated Threat Conditions Require Elevated Readiness

The current regional instability demands a higher defensive posture. This includes continuous monitoring, validated backup integrity, predefined executive escalation paths, and tight coordination between security operations and leadership.

A mature continuity-driven model integrates:

• 24×7 Security Operations and incident management
• Advanced threat detection and correlation
• MITRE ATT&CK–aligned investigations
• Rapid containment and structured recovery
• Executive-level reporting and crisis coordination

Security tools are critical, but without structured continuity alignment, even strong detection capabilities can fall short under sustained attack pressure.

Multi-Platform Security Expertise

Effective resilience requires seamless operation across enterprise ecosystems. i6 brings deep experience across leading SIEM, XDR, and EDR platforms, including Microsoft Sentinel, IBM QRadar, Splunk, ArcSight, Google Chronicle, CrowdStrike Falcon, VMware Carbon Black, Microsoft Defender, and other enterprise-grade technologies.

Our approach reinforces existing security investments while strengthening response coordination and operational stability.

i6 Commitment During the Current Middle East Conflict

In response to the elevated cyber threat landscape created by the ongoing Middle East war tensions, i6 is extending FREE SOC monitoring and Business Continuity reinforcement support to eligible organizations operating within the region.

This initiative reflects our belief that during periods of regional instability, cybersecurity responsibility extends beyond commercial engagement. Operational continuity becomes a shared priority.

Our objective is clear: strengthen detection, accelerate response, and help organizations maintain operational stability despite heightened risk conditions.

Continuity Defines Leadership

Business Continuity is not a document prepared for audits. It is an executive discipline that determines whether an organization absorbs disruption or withstands it.

During the current Middle East environment, resilience is no longer optional. Organizations that remain operational during instability are not necessarily those without incidents. They are those with structured readiness and continuity-driven defense.

At i6, we stand ready to reinforce that resilience when it matters most.

The post i6 — Your Business Continuity Partner During the Ongoing Middle East Conflict appeared first on First Hackers News.

In just twelve days, 1,437 Windows users downloaded a malicious file after visiting a fake Zoom meeting page. What looked like a routine update turned into silent surveillance.

How the Scam Works

The attack begins with a fake domain designed to closely resemble Zoom’s official website.

When opened, the page displays a realistic Zoom waiting room. Fake participants join the meeting one by one. Background sounds and meeting chimes play to create authenticity.

Everything feels normal.

Then a “Network Issue” message appears on the screen.

This is intentional. The warning creates urgency and makes users believe their Zoom session requires a fix.

The Fake Update Trap

Shortly after the “network issue” appears, users see an “Update Available” pop-up.

A countdown timer starts. There is no option to close it.

Within seconds, a file downloads automatically. The page even switches to what looks like a Microsoft Store installation screen for “Zoom Workplace,” reinforcing the illusion.

But the downloaded file is not a Zoom update.

It is a modified Teramind monitoring agent — a legitimate employee surveillance tool — preconfigured to send data to attacker-controlled servers.

Once executed, the installer:

• Runs silently in the background
• Installs under a hidden system directory
• Uses legitimate Teramind binaries
• Avoids detection because the software itself is genuine

The tool operates in stealth mode, meaning no visible icons or program listings appear.

After installation, it begins collecting:

• Keystrokes
• Screens activity
• Application usage
• Clipboard content

It also includes anti-analysis techniques, behaving differently in sandbox or research environments.

Because it uses authentic software components, many antivirus tools fail to immediately flag it.

Why This Attack Is Effective

This campaign does not rely on sophisticated exploits.

It relies on timing and psychology.

Within 30 seconds, victims believe they are simply fixing a Zoom glitch. The interactive design even prevents automated security scanners from easily detecting the malicious behavior.

Instead of building new malware, attackers are misusing trusted corporate monitoring software.

That makes detection harder — and the deception more convincing.

What To Do If You Suspect Infection

If you visited the fake site or downloaded the file:

• Do not run the installer
• Check for unusual hidden folders in the ProgramData directory
• Review active background services for unknown entries
• Change passwords from a clean device
• Contact your IT or security team immediately

Indicators of Compromise (IOCs)

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Fake Zoom Update Infects 1,437 in Days appeared first on First Hackers News.

Security researchers from Cyberthint found that ZeroDayRAT is being sold on Telegram as a Malware-as-a-Service (MaaS). This means even non-technical criminals can subscribe, access a web-based dashboard, and control infected devices remotely.

The infection usually starts with smishing messages — fake SMS alerts pretending to be service providers or app updates. Victims are tricked into installing a malicious Android APK or iOS payload. Once installed, the attacker gains full control through a browser-based control panel.

Through this dashboard, attackers can view device details, monitor messages, track GPS location, and even activate the microphone and camera. The malware also targets financial apps by using clipboard hijacking and fake login overlays to steal credentials. It can intercept OTP codes, allowing criminals to bypass two-factor authentication in real time.

ZeroDayRAT is sold in subscription tiers — $250 per day, $1000 per week, and $3500 per month — and transactions are reportedly handled through escrow services, indicating an organized criminal operation.

What Makes ZeroDayRAT Dangerous

• Real-time GPS tracking and live surveillance
• Remote camera and microphone activation
• Screen recording and keylogging
• Clipboard hijacking for cryptocurrency theft
• Fake login overlays for banking and payment apps
• OTP interception to bypass 2FA
• Easy-to-use browser control panel
• Sold as a subscription service on Telegram

Credibility Concerns

Security analysts say ZeroDayRAT appears to be a real threat, but some details raise questions. In one promotional screenshot, researchers noticed a browser tab labeled “Create USDT Wallet Address,” which looked staged or taken from demo material. This suggests that some features may be exaggerated for marketing.

Even so, the overall capability of the tool reflects a growing shift in cybercrime. Criminals can now rent advanced surveillance kits that were once limited to highly skilled actors. ZeroDayRAT joins other mobile-focused threats like Anatsa, Arsink, and NFCShare that target banking apps, crypto wallets, and everyday mobile behavior.

As mobile malware continues to evolve, users and organizations must stay cautious. Most infections still begin with simple smishing messages or fake app downloads — proving that even small actions can lead to serious compromise.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post ZeroDayRAT Turns Mobile Phones into Spy and Theft Tools appeared first on First Hackers News.

The company credits stronger, multi-layered protections and AI-powered reviews for discouraging attackers from targeting the Play Store in the first place.

Every app submitted to Google Play now goes through more than 10,000 automated and human safety checks before publication, followed by continuous monitoring after it goes live. Google has also added generative AI models to help reviewers detect complex malware, fraud schemes, hidden subscriptions, and misuse of user data.

Privacy, Reviews, and Child Safety – Google malicious apps

Beyond blocking malicious apps, Google strengthened privacy and trust controls across the platform.

Key highlights from 2025:

• 1.75+ million apps rejected for malware, fraud, hidden charges, or data misuse
• 80,000+ bad developer accounts banned
• 255,000 apps restricted from accessing excessive sensitive data
• 160 million fake or abusive ratings and reviews blocked
• Extra protections added to prevent children from accessing high-risk apps

Tools like Play Policy Insights and the Data Safety section help developers fix privacy issues before submission, reducing accidental violations.

On-Device Protection with Play Protect

Security doesn’t stop at the Play Store. Google Play Protect now scans over 350 billion apps daily, including sideloaded apps installed outside the store.

In 2025:

• 27 million new malicious sideloaded apps detected
• Expanded fraud protection to 185 markets (2.8+ billion devices)
• 266 million risky installation attempts blocked
• 872,000 high-risk scam apps stopped
• New in-call scam protection prevents users from disabling Play Protect during social-engineering attacks

How Google Strengthened Play Store Security in 2025

Developers made over 20 billion daily integrity checks using the Play Integrity API to protect apps from abuse and spoofing. Hardware-backed security signals and improved account verification are also being expanded, including limited distribution accounts for students and hobbyists.

Looking ahead, Google plans deeper AI integration, stricter verification, and new Android 16 protections such as built-in defenses against tapjacking.

Together, these measures show Google’s broader strategy: block malicious apps at scale, reduce fraud and privacy abuse, and strengthen trust across the Android ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Google Blocks 1.75 Million Harmful Apps from Play Store in 2025 appeared first on First Hackers News.

Instead of using fixed screen coordinates or simple automation rules, PromptSpy sends Gemini a natural-language request along with an XML snapshot of the current screen. This snapshot includes details about visible elements such as text, type, and screen position.

Gemini analyzes the screen content and responds with JSON instructions telling the malware what action to perform — such as tap, long-press, or swipe — and exactly where to do it.

The main goal is persistence. PromptSpy uses this AI-driven method to keep its malicious app pinned in the Recent Apps list, even when the user tries to close it.

The malware runs in a loop. It executes Gemini’s instructions using Android’s Accessibility Service, captures the updated screen, and sends it back to Gemini. This continues until the AI confirms the app is successfully pinned. Because it relies on AI analysis instead of hardcoded rules, it works across different devices, Android versions, and manufacturer customizations.

Security researchers at ESET describe PromptSpy as the first known Android malware to directly integrate generative AI into its execution flow. The focus is stealthy persistence and maintaining control over the device.

Android AI Malware Capabilities

Beyond AI-based persistence, PromptSpy also acts as a powerful remote access tool.

It includes a built-in VNC component that allows attackers to control the infected phone in real time. Once the victim grants Accessibility permissions, attackers can:

• View the device screen live
• Simulate taps and gestures
• Perform actions as if physically holding the phone

The malware can capture lockscreen credentials, gather device information, take screenshots, record screen activity as video, and monitor which app is currently in use.

It communicates with a hardcoded command-and-control server using the VNC protocol, protected by AES encryption. The server can also send a Gemini API key and additional task instructions to the malware.

PromptSpy also actively blocks removal attempts. It abuses Accessibility permissions to place invisible overlays on important system buttons, including those used to uninstall the app or disable its privileges.

These transparent overlays intercept user taps on “Uninstall” or “Stop,” preventing normal removal.

Technical analysis shows that PromptSpy is delivered through a dropper app. The malicious payload (app-release.apk) is embedded inside the dropper’s assets directory.

Campaign Spread and Target Regions

ESET connects PromptSpy to a multi-stage, financially driven campaign mainly targeting users in Argentina.

An earlier variant, VNCSpy, was uploaded from Hong Kong in January 2026. More advanced PromptSpy samples appeared from Argentina in February 2026.

The malware spread through domains such as mgardownload[.]com and m-mgarg[.]com, which imitated JPMorgan Chase branding under the name “MorganArg” using Spanish banking lures.

Analysis of the same infrastructure revealed another Android phishing trojan signed with the same certificate and using the same fake banking site, likely acting as the initial infection stage before deploying PromptSpy.

Although PromptSpy has not appeared widely in ESET telemetry and may still be in limited testing, the active domains confirm some real-world use.

Code findings, including simplified Chinese debug strings and references to Chinese Accessibility events, suggest development in a Chinese-speaking environment, even though current targets are in Latin America.

PromptSpy is not available on Google Play, and Google Play Protect now detects known variants.

This campaign follows ESET’s 2025 discovery of PromptLock, an AI-powered ransomware prototype, highlighting the growing use of generative AI in malware operations.

IOCs

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post PromptSpy: Android Malware Uses Google Gemini AI appeared first on First Hackers News.