As businesses and governments turn to AI agents to access the internet and perform higher-level tasks, researchers continue to find serious flaws in large language models that can be exploited by bad actors.

The latest discovery comes from browser security firm LayerX, involving a bug in the Chrome extension for Anthropic’s Claude AI model that allows any other plugin – even ones without special permissions – to embed hidden instructions that can take over the agent. 

“The flaw stems from an instruction in the extension’s code that allows any script running in the origin browser to communicate with Claude’s LLM, but does not verify who is running the script,” wrote LayerX senior researcher Aviad Gispan. “As a result, any extension can invoke a content script (which does not require any special permissions) and issue commands to the Claude extension.”

Gispan said he was able to execute any prompt he wanted, blow through Claude’s safety guardrails, evade user confirmation and perform cross-site actions across multiple Google tools. As a proof of concept, LayerX was able to exploit the flaw to extract files from Google Drive folders and share them with unauthorized parties, surveil recent email activity and send emails on behalf of a user, and pilfer private source code from a connected GitHub repository.

The vulnerability “effectively breaks Chrome’s extension security” by creating “a privilege escalation primitive across extensions, something Chrome’s security model is explicitly designed to prevent,” Gispan wrote.

Claude relies on text, user interface semantics, and interpretation of screenshots to make decisions, all things that an attacker can control on the input side. The researchers modified Claude’s user interface to remove labels and indicators around sensitive information, like passwords and sharing feedback, then prompted Claude to share the files with an outside server.

That means cybersecurity defenders often have nothing obviously malicious to detect. Where there is visible activity, the model can be prompted to cover its tracks by deleting emails and other evidence of its actions.

Ax Sharma, Head of Research at Manifold Security, called the vulnerability “a useful demonstration of why monitoring AI agents at the prompt layer is fundamentally insufficient.”

“The most sophisticated part of this attack isn’t the injection, but that the agent’s perceived environment was manipulated to produce actions that looked legitimate from the inside,” said Sharma. “That’s the class of threat the industry needs to be building defenses for.”

Gispan said LayerX reported the flaw to Anthropic on April 27, but claimed the company only issued a “partial” fix to the problem. According to LayerX, Anthropic responded a day later to say that the bug was a duplicate of another vulnerability already being addressed in a future update.   

While that fix, issued May 6, introduced new approval flows for privileged actions that made it harder to exploit the same flaw, Gispan said he was still able to take over Claude’s agent in some scenarios.

“Switching to ‘privileged’ mode, even without the user’s notification or consent, enabled circumventing these security checks and injecting prompts into the Claude extension, as before,” Gispan wrote.

Anthropic did not respond to a request for comment from CyberScoop on the research and mitigation efforts.

The post Flaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI appeared first on CyberScoop.

[CRITICAL] | Active extortion campaign | Exposure window closed | Credential rotation and phishing defense required

Industrialized cybercrime delivers attacks with greater scale, speed and success. Defenders must match this with use of AI and automation.

The post AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours appeared first on SecurityWeek.

As organizations consider agentic AI for their business and IT stacks, researchers continue to find bugs and vulnerabilities in major, commercial models  that can significantly expand their attack surface.

This week, researchers at Pillar Security disclosed a vulnerability in Antigravity, an AI-powered developer tool for filesystem operations made by Google.

The bug, since patched, combined prompt injection with Antigravity’s permitted file-creation capability to grant attackers remote code execution privileges.

The research details how the exploit was able to circumvent Antigravity’s secure mode, Google’s highest security setting for its agents that runs all command operations through a virtual sandbox environment, throttles network access and prohibits the agent from writing code outside of the working directory.

Secure mode is supposed to limit the AI agent access to sensitive systems – and its ability to execute malicious or dangerous acts through shell commands. But one of the file-searching tools used by Antigravity, called “find_by_name,” is classified as a ‘native’ system tool. This means the agent can execute it directly and before protections like Secure Mode can even evaluate command level operations.

“The security boundary that Secure Mode enforces simply never sees this call,” wrote Dan Lisichkin, an AI security researcher with Pillar Security. “This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it.”

The prompt injection attacks can be delivered through compromised identity accounts connected to the agent, or indirectly by hiding clandestine prompt instructions inside open-source files or web content the agent ingests. Antigravity  has trouble distinguishing between written data it ingests for context and literal prompt instructions, so compromise can be achieved without any elevated access by getting it to read a malicious document or file.

According to a disclosure timeline provided by Pillar Security, the bug was reported to Google on Jan. 6 and patched on Feb. 28, with Google awarding a bug bounty for the discovery.

Lisichkin said this same pattern of prompt injection through unvalidated input has been found in other coding AI agents like Cursor. In the age of AI, any unvalidated input can become a malicious prompt capable of hijacking internal systems.

“The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content,” he wrote.

The fact that the vulnerability was able to completely bypass Google’s secure mode underscores how the cybersecurity industry must start adapting and “move beyond sanitization-based controls.” 

“Every native tool parameter that reaches a shell command is a potential injection point. Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely,” Lisichkin wrote.

The post Vuln in Google’s Antigravity AI agent manager could escape sandbox, give attackers remote code execution appeared first on CyberScoop.

The coverage of Anthropic’s Mythos Red Team report has followed a predictable arc: a sensational headline, reactions ranging from alarm to dismissal, and little engagement with what the research actually demonstrates. That is worth correcting, because what Mythos reveals is not primarily a story about AI finding vulnerabilities. It is a story about why trusting software is no longer a viable strategy, and what the architectural response should be. 

Russian state-sponsored attackers compromised more than 18,000 routers spread across more than 120 countries to gain deeper access to sensitive networks for a large-scale espionage campaign before it was recently neutralized, researchers and authorities said Tuesday.

Forest Blizzard, also known as APT28 and Fancy Bear, exploited known vulnerabilities to steal credentials for thousands of TP-Link routers globally. The threat group, which is attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, hijacked domain name system settings and stole additional credentials and tokens via redirected traffic, the Justice Department said.

The threat group established an expansive espionage network by intruding systems of more than 200 organizations, impacting at least 5,000 consumer devices, Microsoft Threat Intelligence said in a report. 

Operation Masquerade, a collaborative takedown operation led by the FBI, aided by federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved a series of commands designed to reset DNS settings and prevent the threat group from further exploiting its initial means of access. 

“GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”

Forest Blizzard’s widespread campaign involved adversary-in-the-middle attacks against domains mimicking legitimate services, including Microsoft Outlook Web Access. This allowed attackers to intercept passwords, OAuth tokens, credentials for Microsoft accounts, and other services and cloud-hosted content. 

Microsoft insists company-owned assets or services were not compromised as part of the campaign.

The threat group targeted network edge devices, including TP-Link and MicroTik routers, opportunistically before it identified sensitive targets of intelligence interest to the Russian government, including people in the military, government and critical infrastructure sectors. 

Victims, according to researchers, include government agencies and organizations in the IT, telecom and energy sectors. Lumen identified other victims associated with Afghanistan’s government and others linked to foreign affairs and national law enforcement agencies in North Africa, Central America and Southeast Asia. An unnamed European country’s national identity platform was also impacted, the company said.

Lumen did not find evidence of any compromised U.S. government agencies as part of this campaign, but warned that the activity poses a grave national security threat.

While the full scope of Forest Blizzard’s accomplishments remain under investigation, researchers are confident the bleeding of sensitive information has stopped. 

“The campaign has ceased,” Danny Adamitis, distinguished engineer at Black Lotus Labs, told CyberScoop. “We have observed a gradual decline in communications associated with this infrastructure over the past several weeks.”

Lumen said it observed widespread router exploitation and DNS redirection beginning in August, the day after the United Kingdom’s National Cyber Security Centre published a malware analysis report about a tool used to steal Microsoft Office credentials. The U.K.’s NCSC on Tuesday published details about APT28’s DNS hijacking campaign, including indicators of compromise.

The Justice Department and FBI, acting on a court order, remediated compromised routers in the United States after collecting evidence on Forest Blizzard’s activity. The FBI said Russia’s GRU weaponized routers owned by Americans in more than 23 states to steal sensitive government, military and critical infrastructure information.

The post Feds quash widespread Russia-backed espionage network spanning 18,000 devices appeared first on CyberScoop.

Shadow AI embedded in everyday apps, combined with outdated mobile devices and zero-click exploits, is creating a new and largely unseen mobile risk.

The post Mobile Attack Surface Expands as Enterprises Lose Control appeared first on SecurityWeek.

The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according to cybersecurity firm Halcyon.

Akira has been active since 2023, racking up at least $245 million in ransom payments from victims through September 2025. The cybercriminal outfit likely includes former members and affiliates of the now-defunct Conti ransomware group, and is known for its polished approach to digital extortion.

A primary example can be found in the efficiency of Akira’s infection cycle, which has reduced incident response times to hours. According to Halcyon, Akira is known for using zero-day vulnerabilities, buying exploits from initial access brokers and exploiting VPNs lacking multifactor authentication to infect their victims. Akira also uses a process known as “intermittent encryption,” whereby large files can be encrypted faster in smaller blocks.

“Akira is more stealthy and less aggressive allowing the ransomware to move swiftly through the entire ransomware attack kill chain from initial access to exfiltration, and encryption in as little as 1 hour without detection,” Halcyon wrote in a blog published Thursday. “In most cases, the time from initial access to encryption was less than four hours.” 

Additionally, while most ransomware operators tend to spend “about 90-95%” of their time developing their encryption malware and 5-10% on crafting decryptors, Halcyon said Akira has made “extensive efforts to ensure the recovery of large files, like server images,” going so far as to temporarily auto-save files with custom .akira extensions to ensure they can be recovered if the encryption process is interrupted.

Halcyon’s blog notes that these efforts are likely less due to ethical principles than because the group believes offering functional decryptors increases the chance that a business will pay the ransom. Akira’s combination of rapid infection while offering firms a more reliable way to recover their data is something that “sets it apart from many ransomware operators.”

“The group’s ability to move from initial access to full encryption in under an hour, while maintaining recovery guarantees that incentivize victim payment, reflects a mature, business-driven criminal enterprise,” Halcyon said.

The group has been observed exploiting vulnerabilities in Veeam backup and replication servers, Cisco VPNs and SonicWall appliances. Like other ransomware groups, Akira uses a double-extortion model against victims, stealing their data before encrypting it, then threatening to publish the stolen data online if businesses don’t pay.

Last year, the FBI and the Cybersecurity and Infrastructure Security Agency flagged Akira as one of the top ransomware criminal groups in the world, primarily targeting small- and medium-sized businesses in the manufacturing, education, IT, health care, financial and agricultural sectors.

The post Akira ransomware group can achieve initial access to data encryption in less than an hour appeared first on CyberScoop.

[CRITICAL] | Active RAT | Malicious npm versions removed | Assess all systems that ran npm install during exposure window

North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 

AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.

Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.

Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.

Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation. 

North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency. 

“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report. 

Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.

Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity. 

North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.

Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway. 

“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report. 

“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.

The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.

Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.

Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.

The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.

“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown. 

“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added. 

The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.

The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.

Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said. 

Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added. 

Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.

Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro. 

Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint. 

“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.

“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.

Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.

Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.

The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.

The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.

Cloudflare’s inaugural threat intelligence report identifies a series of weaknesses in technology that attackers have abused and industrialized into professional “attack factories,” leaving most organizations unprepared to respond. 

Attackers are turning the very services victims deploy and pay for into tools for launching large-scale attacks. Researchers say the barrier to entry has vanished, as identities and tokens allow attackers to weaponize gaps in cloud-based systems.

Organizations’ environments are riddled with potential entry points. As the everything-as-a-service model spreads, systems become more interconnected and dependent on one another, and  many software components are reachable in ways that make them nearly as accessible to attackers as to legitimate users.

“When one of those interconnections goes bad, all of a sudden everything’s gone south,” Blake Darché, head of Cloudflare’s threat intelligence unit Cloudforce One, told CyberScoop.

“Data is more accessible than ever, which is good for a lot of cases, but the threat actors are using that easy access to that data as a way to exploit people, systems and organizations,” he added. “It’s only going to get harder. I think some of the AI tools will make this even worse.”

Attackers have turned “the connective tissue of the modern enterprise into its primary vulnerability,” researchers wrote in the report.

Cloudflare expects attackers to routinely exploit platforms as a standard tactic this year. Cybercriminals, nation-states and others routinely use public cloud resources to blend in with legitimate traffic, provision infrastructure for operations and cast link-based phishing lures into emails that bypass or slip through ineffective protections, researchers wrote in the report.

Weaknesses in the seams of complex cloud environments are abundant and consequential, allowing identity-based attacks to achieve the same outcome as complex malware or zero-day exploits. 

These blind spots make the traditional barometers for danger — an attackers’ demonstrated sophistication through elegant code or novel zero-days — effectively trivial, researchers wrote in the report. 

“If you’re a business that just lost a million records, it doesn’t matter if the threat actor was sophisticated, unsophisticated, or a child,” Darché said.

Cloudflare argues the industry should reframe how it categorizes risk and take a more pragmatic approach: focus on “effectiveness,” measured by the ratio of an attacker’s effort to the operational outcome they achieve. 

“It turns out, you don’t need to be sophisticated to be successful,” Darché said. “In the industry, we’re overly focused on sophistication of threats and that’s probably not what it’s about anymore, and it’ll become less about sophistication level over time.”

The far-reaching attack spree originating at Salesloft Drift last summer, which impacted Cloudflare and more than 700 additional companies through the third-party AI agent’s connection with Salesforce, exemplified the risks lurking in unexpected places in the supply chain. 

The trusted relationships that these interconnected services rely on need to be further scrutinized, Darché said. “You as the data owner don’t even know where their data is going, and your exposure is just almost infinite.”

The post Attackers are using your network against you, according to Cloudflare appeared first on CyberScoop.

A Chinese law enforcement official attempted to use ChatGPT to review its reports on cyber operations, subsequently revealing details of a worldwide online harassment and silencing campaign of China’s critics at home and abroad.

In a new threat report released Wednesday, OpenAI said the activity concerned a single account that regularly used ChatGPT to review and edit reports on “cyber special operations.” That same account also attempted to use ChatGPT to plan a propaganda campaign against Japanese Prime Minister Sanae Takaichi. When the model refused, the actor came back weeks later with prompts indicating the operation had proceeded anyway.

The reports uploaded to ChatGPT “suggested that the threat actors had conducted many other, earlier operations, in a comprehensive effort to suppress dissent and silence critics both online and offline, at home and abroad,” the report said.

While there’s only evidence of a single account used by the agency, OpenAI said the operations targeting Chinese critics described in the report appears “large-scale, resource-intensive and sustained,” consisting of hundreds of human staff, thousands of fake accounts across different social media platforms and the use of local Chinese AI models.  

These operations included mass posting and content generation, flooding social media companies with bogus complaints about accounts owned by dissidents, forging documents and in some cases even impersonating U.S. officials for intimidation.  

A separate campaign involving a cluster of accounts that “likely originated” in mainland China prompted ChatGPT for information on “U.S. persons, forums and federal building locations.”

The accounts also generated email drafts purportedly from a company called Nimbus Hub Consulting based in Hong Kong, but OpenAI’s report notes that the accounts used VPNs and prompted the model using Simplified Chinese language characters, which is more commonly associated with mainland China.

OpenAI said that, when asked about U.S. entities, ChatGPT also provided “publicly-available” information sources on U.S. federal government office locations, the distribution of federal employees by state, professional forums and job websites in the US economics and finance industries.

The Chinese actors generated English-language emails to U.S. state officials and to business and financial policy analysts, inviting them to join paid consultations and offer strategic advice to the actors’ clients.

These emails would frequently seek to move the conversation to another video conferencing platform, such as WhatsApp, Zoom or Teams. One of the accounts uploaded their hardware specifications and asked for step-by-step, non-technical instructions for installing real-time face-swapping software called FaceFusion.

“The model responded with information that was drawn from FaceFusion’s publicly-available website and documentation,” OpenAI said.

No evidence of automated cyber attacks

The report focused mainly on how cybercriminals and state actors used ChatGPT to support scams and influence operations. OpenAI detailed four covert information operations and three romance-scam operations. In addition to Chinese influence operations, it also reported on propaganda content generated for Rybar, a Russia-aligned online influence group.

OpenAI’s report details how some operators used ChatGPT to automate isolated tasks, like a Cambodian romance scam that blended human and AI operators when communicating with victims. The report did not cite any instances of threat actors using ChatGPT for direct offensive hacking operations. 

AI tools can give both malicious and legitimate actors access to tremendous speed and scale online.  Over the past year, Chinese hackers have reportedly used at least one other U.S.-made AI model to conduct heavily automated cyberattacks against businesses and governments.

During a media Q&A, an OpenAI official said they were not aware of any cases in which threat actors used ChatGPT to carry out automated attacks, but added that the company has multiple ongoing investigations that have not concluded.

Much of the observed activity in OpenAI’s report follows a common pattern, detailing threat actors who are still very much in the throes of experimenting with AI technology and learning where it provides the most value in their chain of operations.

Some used it to generate propaganda content around a specific target, or monitor social media platforms, or provide better language translation for phishing lures. But similar to reporting from Google earlier this month, in most cases threat actors are using AI in limited and targeted ways as an amplifier to existing operations.  

In some cases, it’s clear that ChatGPT is one of multiple AI tools being used by the threat actor. In the case of the Chinese law enforcement agency, the status reports uploaded to the model on information operations reference the use of locally deployed Chinese AI models like DeepSeek, and it’s likely the group used a different model to prepare for its propaganda campaign against Taikaichi.

“Threat activity is seldom limited to one platform; as our report…shows, it is not always limited to one AI model,” the report said. “Rather, threat actors may use different AI models at various points in their operational workflow.”

The post Chinese group’s ChatGPT use reveals worldwide harassment campaign against critics appeared first on CyberScoop.

The ransomware threat actor Coinbase Cartel first emerged in September 2025 and claimed 14 victims that month. The group focuses on data exfiltration, which aligns with a trend Bitdefender is tracking in the ongoing evolution of ransomware.

The promise of autonomous AI agents is rapidly turning into a security beachhead for initial access. Our labs have detected a series of malicious campaigns targeting OpenClaw (formerly known as Moltbot and Clawdbot), an open-source AI agent framework. The attacks are distributed through ClawHub, the public registry for OpenClaw skills.

By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the client’s […]

The post The Curious Case of the Comburglar appeared first on Black Hills Information Security, Inc..

Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 

Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.

Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.

Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday. 

The full scope of attacker interest in the vulnerability is magnified by an unparalleled number of publicly available exploits — underscoring the relative ease and myriad ways unauthenticated attackers can trigger the defect to elevate privileges and pivot into other parts of targeted networks. 

VulnCheck confirmed nearly 200 valid public exploits for React2Shell as of Thursday. “React2Shell CVE-2025-55182 now has the highest verified public exploit count of any CVE,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop.

Ongoing clean-up efforts for React2Shell also led to the discovery of three new defects affecting React Server Components last week, including CVE-2025-55183 and CVE-2025-67779, which fixes an apparent bypass for CVE-2025-55184, she said. 

“The worst-case scenario on many defenders’ minds presently is that a true patch bypass for CVE-2025-55182 might arise. So far, this hasn’t come to pass,” Condon added. 

Researchers continue to urge organizations to apply the patch for CVE-2025-55182, but note that the additional CVEs are not addressed in some early versions of the patch. And, of course, patching won’t evict attackers that already gained access to systems. 

Attacks of different origins and motivations continue to spread globally. 

Google Threat Intelligence said it has observed financially motivated attackers and at least five Chinese espionage threat groups exploiting the defect across multiple regions and industries. GTIG said it also identified attacks attributed to Iran, but it did not provide more information. 

Amazon previously said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.

Cybersecurity firm S-RM said it responded to a ransomware attack Dec. 5 that involved React2Shell exploitation as an initial access vector. Attackers executed Weaxor ransomware within a minute of gaining access to the victim’s network, the company said in a blog post Tuesday.

Evidence of spiking malicious activity, including exploitation attempts, is showing up across the threat intelligence landscape. 

Cloudflare said multiple Asia-based threat groups have been meticulous in targeting networks in Taiwan, the autonomous region of Xinjiang Uygur, Vietnam, Japan and New Zealand, yet other selective targets were observed, including U.S. government websites, academic research institutions and critical infrastructure operators. 

“These infrastructure operators specifically included a national authority responsible for the import and export of uranium, rare metals and nuclear fuel,” Cloudflare’s threat intelligence team wrote in a blog post.

Several U.S.-based state and federal government agencies have been targeted, but there’s no confirmed exploitation, Blake Darché, head of threat intelligence at Cloudflare, told CyberScoop. The Cybersecurity and Infrastructure Security Agency declined to comment on attempted attacks against government agencies. 

“Victimology has now evolved to be universal, with critical infrastructure targets just a small slice of all organizations and industries under attack,” Darché added.

While successful compromises are outside of GreyNoise’s visibility, malicious activity spotted by its sensors are continuing to pop off, according to Andrew Morris, the company’s founder and chief architect.

“Exploitation is still very high with the number of cumulative networks exploiting this vulnerability reaching all-time highs almost every single day since disclosure,” he wrote in a LinkedIn post Tuesday. 

React2Shell has prompted widespread alarm in the two weeks since the vulnerability was first disclosed in the widely used application framework, and researchers expect the defect to have long-lasting impacts.

Austin Larsen, principal analyst at GTIG, said the critical vulnerability will likely be one of the more consequential defects it observed under active exploitation this year.

A debate that initially ensued in some industry circles over the seriousness and viable impact of the defect has effectively ended. 

“Exploitation timelines are shrinking from weeks to hours,” Dan Perez, technology lead at GTIG, told CyberScoop. “Every new vulnerability presents a race against time. Every minute that a system remains unpatched is a minute that a threat actor can use to their advantage, which gives organizations a razor-thin margin for error.”

The post React2Shell fallout spreads to sensitive targets as public exploits hit all-time high appeared first on CyberScoop.

Attackers associated with Russia’s Main Intelligence Directorate (GRU) have targeted Western-based critical infrastructure with a special focus on the energy sector as part of an ongoing campaign dating back to 2021, Amazon Threat Intelligence said in a report Monday. 

The threat group simplified operations earlier this year by shifting away from vulnerability exploitation to focus on misconfigured network edge devices hosted on Amazon Web Services as the primary initial access vector, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post. 

Researchers said malicious infrastructure used by the attackers overlaps with operations linked to Sandworm, also known as APT44 and Seashell Blizzard, a detail that gives them confidence the activity is associated with Russia’s GRU. 

Amazon did not say how many attacks it’s attributed to the campaign, nor how the pace of activity has changed since the first wave of attacks occurred in 2021. The company said it has notified customers affected by the intrusions, remediated compromised EC2 instances and shared intelligence with partners and affected vendors to aid further investigations.

The Russia state-sponsored threat group has continued to target multiple Western-based organizations in the energy sector including electric utilities, energy providers and managed security service providers specializing in the industry, according to Amazon. 

Researchers said the threat group has also targeted collaboration platforms, source code repositories, organizations with cloud-based network infrastructure, critical infrastructure providers in North America and Europe, and telecom providers across multiple regions. 

Attacks typically begin with a compromised customer network edge device hosted on AWS, followed by attempts to capture data traversing the network in a bid to steal credentials and reuse those credentials against victim organizations’ other services and infrastructure to maintain access, according to Amazon.

Moses insists the compromise of network edge devices hosted on AWS is not due to a weakness in its  infrastructure, but rather improper device setup from customers. Attackers associated with Russia’s GRU have targeted enterprise routers and routing infrastructure, virtual private networks for large organizations, remote-access gateways and network-management appliances. 

The campaign initially relied on vulnerability exploitation from 2021 to 2024, including CVE-2022-26318 affecting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence and CVE-2023-27532 affecting Veeam, researchers said.

Yet, targeting shifted to misconfigured network edge devices this year, which allowed attackers to achieve the same strategic goals at a lower cost. 

“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses said in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”

Sandworm is one of the most notorious state-sponsored threat groups of the past decade. The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.

Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.

Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.

Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East. 

Evidence to back up widening concern about the defect is abundant, coming from many corners of the threat research community. Attackers of various types are flocking to the opportunity, including nation-state attackers, cybercriminals, botnets, and threat groups seeking to steal cryptocurrency and deploy cryptojacking malware.

Shadowserver scans concluded the scope of potential impact is much greater than previously thought. On Monday, the organization found more than 165,000 IPs and 644,000 domains with vulnerable code placing those instances at risk of exploitation. Nearly two-thirds of those vulnerable instances are based in the United States.

“This is a one click — game over — kind of vulnerability and corresponding exploit,” Kelly Shortridge, chief product officer at Fastly, told CyberScoop. “We see it basically hitting everyone,” she said, with attackers targeting any organization with valuable data, sensitive records or business-critical applications that can be stolen or knocked down for extortion efforts. 

“Security teams are, surprisingly, not all taking this seriously. It’s pretty uneven,” and “surprising to see that kind of dismissiveness from security teams,” Shortridge said.

Half of the public resources exposed to CVE-2025-55182 remain unpatched, and in-the-wild exploitation has expanded rapidly since early Tuesday, Alon Schindel, vice president of AI and threat research at Wiz, wrote in a LinkedIn post. Wiz Research has observed more than 15 distinct intrusion clusters to date. 

Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, described this as a “patch-now situation” as simultaneous exploitation is coming from across the entire threat landscape. 

“Our telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack. We’re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups,” he added.

Unit 42 on Tuesday said it uncovered activity that overlaps with previous attacks attributed to the North Korea threat group it tracks as Contagious Interview, which has deployed malware on the devices of people seeking jobs in the tech industry. 

Researchers at the incident response firm found evidence of compromise across many sectors, including financial services, business services, higher education, technology, government, management consulting, media and entertainment, legal services, telecom and retail.

Attempted attacks are also coming from China state-backed threat groups, according to Amazon and Unit 42. Amazon said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.

Attackers are pursuing sweeping potential impact because the vulnerability affects multiple React frameworks and bundlers that depend on React Server Components, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and possibly others. 

VulnCheck said it has observed nearly 100 public proof-of-concepts for the vulnerability, adding that most of the current variants target Next.js. 

GreyNoise said it has observed more than 360 unique IP addresses attempting to exploit the vulnerability, and roughly two-fifths of those malicious IPs contained active payload data revealing widespread attention from automated botnets to more capable attackers, the company said. 

The malware used in these attacks is broad, highlighting the myriad objectives and techniques afoot. Unit 42 said it has observed Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell malware. 

Some researchers are comparing the React defect to Log4Shell, an exploit in Apache Log4j’s software library that drew widespread concern in 2021 that continues to bear a long-tail impact in the software supply chain. 

While React and Next.js aren’t as widely deployed as Log4Shell, according to Shortridge, the potential impact is worse and the React vulnerability is easier to weaponize as well. 

“The delivery vector is the command-and-control channel, which means once they’re in, it’s going to be really difficult to spot them, and they’re probably going to be able to blend into your normal traffic, and they’ll be able to do whatever they want,” she said. 

“You’re probably not going to know that it’s happened to you,” Shortridge said. “We are seeing some companies that didn’t think they were vulnerable are surprised to discover that, in fact, they are.”

The post Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims appeared first on CyberScoop.