Many users experience slow performance during meetings or while switching between chats, particularly on older laptops or systems with low memory. This new mode is designed to solve that problem by making Teams smarter about how it uses system resources. The rollout is expected to begin in early May 2026 and will gradually reach users worldwide by mid-May.

Instead of applying the same performance settings to every device, Teams will now adapt based on the hardware it is running on. This means users with lower-end devices can still have a smooth experience without needing upgrades.

How Efficiency Mode Works

When Efficiency Mode is active, Teams automatically adjusts its behavior to reduce strain on the system. These changes happen in the background without requiring user input.

Some of the key improvements include:

• Video quality is dynamically lowered during meetings to reduce CPU and bandwidth usage while still maintaining clear communication
• The app launches faster by avoiding heavy initial loading, showing a simpler interface instead of opening a chat window immediately
• Background processes are minimized to prevent unnecessary memory and CPU consumption
• A visual indicator appears in the app so users know when Efficiency Mode is active

These adjustments help reduce lag, improve responsiveness, and make meetings more stable, especially when multiple apps are running at the same time.

Automatic Enablement and User Control

Efficiency Mode is automatically enabled on devices that are likely to benefit from it. This ensures users get better performance without needing to change any settings.

However, Microsoft also gives users full control. If someone prefers the standard experience with full visuals and higher resource usage, they can disable Efficiency Mode in the settings. This flexibility allows users to choose between performance and full feature usage based on their needs.

Importantly, Microsoft has confirmed that this feature does not affect compliance, privacy, or security settings, making it safe for both personal and enterprise use.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What IT Teams Should Know

For organizations, this update is relatively simple to manage. Since the feature is enabled automatically, most environments will not require configuration changes.

Still, IT teams should be aware of a few key points:

• Helpdesk teams should understand how the feature works to assist users with questions
• Employees may need guidance on how to turn the feature on or off
• Internal documentation may need updates to reflect the new behavior of Teams
• Monitoring user feedback can help determine if the feature improves productivity

By preparing ahead, organizations can ensure a smooth transition and better user experience.

Why This Matters

Efficiency Mode is an important step in making Teams more accessible and reliable across different types of devices. Not all users have high-performance systems, and performance issues can disrupt communication and collaboration.

By optimizing how Teams uses CPU, memory, and network resources, Microsoft is improving usability without removing core features. This means more users can participate in meetings, collaborate effectively, and stay productive regardless of their device limitations.

In the long run, features like this help reduce the gap between high-end and low-end devices, making modern workplace tools more inclusive and efficient.

The post Microsoft Teams Boosts Performance on Low-End Devices appeared first on First Hackers News.

The flaw impacted apps like Signal, where message previews could remain on the device even after the app was deleted. This created a privacy risk, as users would assume their data was completely removed.

Apple Notification Privacy Flaw Explained

The vulnerability, tracked as CVE-2026-28950, was caused by a problem in Apple’s notification logging system. Instead of fully deleting notifications, some data was still being stored in system logs.

This meant that message previews, including private conversations, could still exist on the device. Reports showed that investigators were able to recover this data, even after the app had been uninstalled.

Why This Matters

This issue is important because it shows that even secure apps can be affected by system-level behavior. While Signal uses strong encryption, the operating system storing notification previews created an unexpected privacy gap.

Key concerns included:

• Notifications not being fully deleted
• Sensitive message previews remaining accessible
• Data exposure happening outside the app itself

Apple’s Fix and Improvements

Apple resolved the issue by improving how notification data is handled and cleared from the system.

With the update:

• Notification data is properly removed
• Previously stored data is cleared automatically
• Future notifications are no longer retained after deletion

Signal also acknowledged the fix and supported the update, highlighting its importance for user privacy.

Devices That Receive the Update

The update is available for multiple Apple devices, including:

• iPhone 11 and newer
• iPad Pro (recent models)
• iPad Air (3rd generation and later)
• iPad (8th generation and later)
• iPad mini (5th generation and later)

Older supported devices can receive similar security fixes through updated versions.

What Users Should Do

Users should update their devices as soon as possible to stay protected. Keeping your system updated helps prevent privacy risks and ensures your data is secure.

To install the update, go to Settings, tap General, and select Software Update.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Apple Notification Privacy Flaw Fixed in iOS Update appeared first on First Hackers News.

These extensions were disguised as TikTok video download tools, tricking users into installing them. In reality, they were designed to track user behavior and collect sensitive information. The campaign has already affected more than 130,000 users, with thousands of installations still active.

Instead of building each extension from scratch, the attackers reused a single core codebase. They simply changed names and branding, using titles like “TikTok Video Downloader” or “Mass TikTok Downloader.” When one extension was removed from the store, a nearly identical version was quickly uploaded again, often using the same images and descriptions.

Some of these malicious extensions even received a “Featured” badge in official marketplaces, which increased user trust and led to higher download numbers.

How the Attack Works

A key part of this campaign is the use of remote configuration. The extensions are built using Manifest V3 (MV3), which allows them to fetch instructions from attacker-controlled servers after installation.

This means the extensions do not show harmful behavior immediately. Instead, they operate normally for several months, sometimes between six to twelve months, to build a positive reputation and avoid suspicion.

Once enough users have installed them, the attackers activate malicious features remotely. At that point, the extensions can change their behavior instantly without any update or user permission.

They can modify their functions, enable hidden features, redirect traffic to unsafe websites, and expand the amount of data they collect over time.

Data Collection and User Tracking

After activation, the extensions begin collecting detailed user data. This goes beyond basic tracking and is used to create a strong digital fingerprint for each user.

The collected data includes browsing patterns, frequency of use, details about downloaded content, system language, and time zone settings. They also track device battery status, which is an unusual but highly specific signal that helps identify users more accurately.

This combination of data allows attackers to track users across multiple sessions and websites.

Command and Control System

The extensions rely on external servers to receive instructions. These servers provide configuration files that control how the extensions behave.

To avoid detection, the attackers use typosquatting techniques, creating domain names that look very similar to legitimate ones. Small spelling changes make them appear trustworthy at first glance, helping them bypass basic checks.

Although the campaign has not been officially linked to a specific hacking group, the shared infrastructure and coordinated activity suggest a single, organized threat actor behind it.

Why This Is a Serious Threat

This campaign highlights a major weakness in browser security. Most security checks focus only on the time of installation, assuming that approved extensions will remain safe.

However, these extensions change their behavior later using remote commands, making them difficult to detect. Since they operate within the browser, they can access sensitive data and may even be used in larger attacks, such as data theft or botnet activity.

To defend against such threats, security experts recommend continuous monitoring of extension behavior, rather than relying only on initial approval checks.

The post Fake TikTok Extensions Target Thousands of Users appeared first on First Hackers News.

Since the print scheduler operates with elevated privileges, it becomes an attractive target for exploitation, especially in environments where print services are exposed over a network.

Remote Code Execution Risk

One of the identified issues enables attackers to execute code remotely on systems that expose shared print queues without authentication. The flaw originates from improper handling of print job inputs, where specially crafted data can bypass validation checks.

By injecting malicious input into print job parameters, an attacker can manipulate how the system processes configurations. This can result in the execution of unauthorized programs through the print service, effectively giving attackers control over the affected machine under the print service context.

This risk is particularly concerning for systems that allow anonymous access to shared printers, as it removes a key barrier to exploitation.

Privilege Escalation to Root

A second vulnerability allows local users with minimal privileges to escalate their access to full system control. This attack leverages weaknesses in how temporary printers are created and validated within the system.

An attacker can trick the system into granting elevated privileges during the printer setup process, then exploit a timing gap to redirect operations toward sensitive system files. By doing so, they can overwrite critical files and gain root-level access.

This type of attack is especially dangerous because it works even in default configurations, meaning no special setup is required beyond initial access to the system.

Security Recommendations

While fixes are in progress, organizations should take immediate precautions. Disabling external access to print services can significantly reduce exposure. Where shared printing is necessary, enforcing authentication is essential.

Additionally, running the print service within security frameworks such as AppArmor or SELinux can help contain potential damage by limiting what the service is allowed to access or modify.

The post CUPS Vulnerabilities: Remote Code Execution and Root Access Risk appeared first on First Hackers News.

Overview of the Findings

The investigation indicates that this activity is directly tied to identifiable user profiles. Given that LinkedIn accounts are built on real-world identities, including professional roles and organizational affiliations, the collected data is inherently non-anonymous and can be mapped to individuals and enterprises.

The report further suggests that the platform can detect a wide range of browser extensions, some of which may indirectly reveal sensitive attributes such as personal interests, behavioral patterns, or professional intent. In particular, the tracking of job-search-related tools introduces a risk of exposing users who are actively exploring new employment opportunities.

Key observations include:

• Alleged system-level scanning without explicit consent mechanisms
• Absence of clear disclosure within publicly available privacy documentation
• Ability to infer sensitive personal and professional information through extension detection
• Monitoring of a large number of job-related tools used by professionals

Such practices, if confirmed, could raise compliance concerns under the General Data Protection Regulation, which imposes strict requirements on the collection and processing of sensitive personal data.

Competitive Intelligence and Market Implications

Beyond individual privacy risks, the report outlines potential implications in the context of competitive intelligence. It alleges that LinkedIn can detect the use of third-party sales and prospecting tools, including platforms such as Apollo, Lusha, and ZoomInfo.

By correlating tool usage with user identities, the platform could theoretically derive insights into competitor adoption, customer segmentation, and enterprise tool preferences. The report also claims that such intelligence has been leveraged in enforcement actions targeting users of external tools.

Notable findings include:

• Detection and monitoring of a broad range of competing commercial tools
• Significant expansion in the number of tracked third-party applications over time
• Use of internal infrastructure, including the “Voyager” API, with limited visibility in regulatory disclosures
• Allegations of targeted actions against users leveraging non-native tools

These concerns intersect with obligations under the Digital Markets Act, under which LinkedIn has been designated as a gatekeeper. While limited APIs were introduced as part of compliance efforts, the report suggests these interfaces are not representative of the platform’s full operational scope.

Use of Tracking Technologies

The investigation also highlights the integration of external tracking mechanisms within LinkedIn’s web environment. It alleges that invisible elements sourced from HUMAN Security are used to deploy cookies without user visibility. Additionally, encrypted scripts associated with Google, along with proprietary fingerprinting techniques, are reported to execute during routine page interactions.

These components are said to operate passively in the background, contributing to continuous data collection without direct user awareness.

Closing Perspective

If substantiated, the findings outlined in the BrowserGate report point to a potentially sophisticated and opaque data collection framework operating within a widely trusted professional platform. The implications extend beyond individual privacy, touching on regulatory compliance, competitive fairness, and transparency in large-scale digital ecosystems.

The post LinkedIn Data Scanning: Hidden Tracking of User Devices Exposed appeared first on First Hackers News.

The extension takes advantage of user curiosity around ads in AI platforms, using a familiar name to appear trustworthy. Once installed, it monitors activity without interrupting the user experience, making it difficult to notice anything unusual.

It captures prompts, responses, and related metadata while continuing to behave like a normal extension on the surface.

Behind the Operation

After installation, the extension runs silently in the background and maintains persistence through scheduled activity. It regularly connects to a remote configuration hosted on GitHub, allowing attackers to change how it behaves without requiring any update from the user side.

When a user visits ChatGPT, the extension injects hidden scripts into the webpage. Instead of performing any ad-blocking function, it extracts the content of the page by removing styling and media elements while preserving the actual text of conversations.

This data is then compiled into a file and transmitted externally through a Discord webhook controlled by the attacker. The process is automated, meaning stolen conversations are continuously delivered without user awareness.

Investigators also observed suspicious activity linked to the developer account behind the extension. After years of inactivity, the account suddenly became active again, shifting focus toward JavaScript-based behavior. The same developer is connected to other AI-related services, raising broader concerns around data exposure.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What This Means for Users

• Conversations on ChatGPT can be silently captured
• Prompts, responses, and session data are exposed
• Data is sent to external servers without visibility
• Remote control allows attackers to modify behavior anytime
• Associated services may carry similar risks

This incident shows how easily malicious tools can blend into everyday usage. Even simple extensions can operate quietly in the background while collecting valuable data.

Being cautious with browser extensions, especially those linked to popular platforms, is essential. Trust should not be based on names or claims alone, but on verified sources and transparency.

The post Malicious “ChatGPT Ad Blocker” Extension Steals User Data appeared first on First Hackers News.

Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

Tracked as CVE-2025-53521, the flaw impacts the Access Policy Manager (APM) component and could allow remote code execution. While detailed technical information has not yet been fully disclosed, the nature of the vulnerability makes it particularly dangerous. BIG-IP devices often sit at the edge of networks, handling authentication, traffic management, and secure application delivery — making them a prime target for attackers seeking initial access.

CISA’s decision to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog is a clear indicator that organizations cannot afford to delay response. This is not a theoretical risk — threat actors are already leveraging it. Historically, similar vulnerabilities in BIG-IP systems have been quickly adopted by both financially motivated attackers and advanced threat groups because compromising these devices can provide deep visibility and control over network traffic.

Why This Vulnerability Matters

What makes this issue more concerning is the potential ease of exploitation. Even without full public disclosure, vulnerabilities that enable remote code execution are often rapidly weaponized. Once exploited, attackers can move laterally across the network, escalate privileges, and potentially access sensitive data.

Edge infrastructure like BIG-IP plays a critical role in enterprise environments. When such systems are compromised, they can act as a gateway for broader attacks. This aligns with a growing trend where attackers focus on perimeter devices rather than traditional endpoints, as these systems offer higher impact with less resistance.

Immediate Actions for Security Teams

Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority security event and respond without delay.

• Apply vendor-provided patches or mitigation steps immediately
• If fixes are unavailable, restrict or temporarily disable affected services
• Continuously monitor logs for unusual administrative actions or configuration changes
• Enforce strict access controls and reduce unnecessary exposure
• Implement network segmentation to limit potential spread after compromise

In addition to these steps, security teams should remain vigilant for evolving attack techniques, as exploitation methods may become more sophisticated over time.

Final Thoughts

The rapid inclusion of CVE-2025-53521 in the KEV catalog highlights an ongoing shift in attacker strategy — targeting critical infrastructure components that sit at the heart of enterprise networks. Organizations must move beyond reactive security and adopt a proactive approach that prioritizes visibility, rapid patching, and strong access controls.

Delaying action in cases like this significantly increases the risk of widespread compromise. For organizations relying on BIG-IP systems, the message is clear: act fast, monitor closely, and assume attackers are already attempting to exploit this weakness.

The post Active Exploitation of F5 BIG-IP Vulnerability Raises Urgency appeared first on First Hackers News.

Announced on March 25, 2026, the vulnerabilities impact both authoritative servers and DNS resolvers, making them a serious concern for organizations relying on BIND 9 for critical network operations. Administrators are strongly advised to apply patches immediately to avoid service disruption or unauthorized access.

CVE Breakdown and Security Impact

The most severe issue, CVE-2026-1519 (CVSS 7.5 – High), can lead to a Denial of Service. It is triggered when a resolver performs DNSSEC validation on a specially crafted zone, causing excessive NSEC3 processing. This results in high CPU usage and significantly reduces the server’s ability to handle queries. While disabling DNSSEC validation can reduce the impact, it is not recommended as it weakens security.

The second issue, CVE-2026-3119 (CVSS 6.5 – Medium), can cause the BIND “named” process to crash. This happens when handling a valid query containing a TKEY record. However, exploitation requires access to a trusted TSIG key already configured on the server. As a temporary measure, administrators should review and remove any unnecessary or potentially compromised TSIG keys.

The third vulnerability, CVE-2026-3591 (CVSS 5.4 – Medium), is related to improper memory handling in SIG(0) processing. A crafted DNS request can lead to incorrect ACL checks, potentially allowing unauthorized access in environments where permissive access rules are used. There are no effective workarounds for this issue, making patching essential.

Affected Versions and Fixes

These vulnerabilities impact multiple BIND 9 versions, including:

• 9.11.0 to 9.16.50
• 9.18.0 to 9.18.46
• 9.20.0 to 9.20.20
• 9.21.0 to 9.21.19

To address these issues, ISC has released patched versions:

• 9.18.47
• 9.20.21
• 9.21.20

Users of the BIND Supported Preview Edition should also apply the relevant S1 patches immediately.

At the time of disclosure, there are no confirmed reports of active exploitation. However, due to the potential impact on DNS infrastructure, organizations should prioritize updates, verify their deployed versions, and ensure proper monitoring to reduce risk.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Critical BIND 9 Vulnerabilities Require Immediate Attention appeared first on First Hackers News.

A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.