โŒ

Normal view

Fake apps, NFC skimming attacks, and other Android issues in 2026 | Kaspersky official blog

27 January 2026 at 17:36

The year 2025 saw a record-breaking number of attacks on Android devices. Scammers are currently riding a few major waves: the hype surrounding AI apps, the urge to bypass site blocks or age checks, the hunt for a bargain on a new smartphone, the ubiquity of mobile banking, and, of course, the popularity of NFC. Letโ€™s break down the primary threats of 2025โ€“2026, and figure out how to keep your Android device safe in this new landscape.

Sideloading

Malicious installation packages (APK files) have always been the Final Boss among Android threats, despite Googleโ€™s multi-year efforts to fortify the OS. By using sideloading โ€” installing an app via an APK file instead of grabbing it from the official store โ€” users can install pretty much anything, including straight-up malware. And neither the rollout of Google Play Protect, nor the various permission restrictions for shady apps have managed to put a dent in the scale of the problem.

According to preliminary data from Kaspersky for 2025, the number of detected Android threats grew almost by half. In the third quarter alone, detections jumped by 38% compared to the second. In certain niches, like Trojan bankers, the growth was even more aggressive. In Russia alone, the notorious Mamont banker attacked 36 times more users than it did the previous year, while globally this entire category saw a nearly fourfold increase.

Today, bad actors primarily distribute malware via messaging apps by sliding malicious files into DMs and group chats. The installation file usually sports an enticing name (think โ€œparty_pics.jpg.apkโ€ or โ€œclearance_sale_catalog.apkโ€), accompanied by a message โ€œhelpfullyโ€ explaining how to install the package while bypassing the OS restrictions and security warnings.

Once a new device is infected, the malware often spams itself to everyone in the victimโ€™s contact list.

Search engine spam and email campaigns are also trending, luring users to sites that look exactly like an official app store. There, theyโ€™re prompted to download the โ€œlatest helpful appโ€, such as an AI assistant. In reality, instead of an installation from an official app store, the user ends up downloading an APK package. A prime example of these tactics is the ClayRat Android Trojan, which uses a mix of all these techniques to target Russian users. It spreads through groups and fake websites, blasts itself to the victimโ€™s contacts via SMS, and then proceeds to steal the victimโ€™s chat logs and call history; it even goes as far as snapping photos of the owner using the front-facing camera. In just three months, over 600 distinct ClayRat builds have surfaced.

The scale of the disaster is so massive that Google even announced an upcoming ban on distributing apps from unknown developers starting in 2026. However, after a couple of months of pushback from the dev community, the company pivoted to a softer approach: unsigned apps will likely only be installable via some kind of superuser mode. As a result, we can expect scammers to simply update their how-to guides with instructions on how to toggle that mode on.

Kaspersky for Android will help you protect yourself from counterfeit and trojanized APK files. Unfortunately, due to Googleโ€™s decision, our Android security apps are currently unavailable on Google Play. Weโ€™ve previously provided detailed information on how to install our Android apps with a 100% guarantee of authenticity.

NFC relay attacks

Once an Android device is compromised, hackers can skip the middleman to steal the victimโ€™s money directly thanks to the massive popularity of mobile payments. In the third quarter of 2025 alone, over 44ย 000 of these attacks were detected in Russia alone โ€” a 50% jump from the previous quarter.

There are two main scams currently in play: direct and reverse NFC exploits.

Direct NFC relay is when a scammer contacts the victim via a messaging app and convinces them to download an app โ€” supposedly to โ€œverify their identityโ€ with their bank. If the victim bites and installs it, theyโ€™re asked to tap their physical bank card against the back of their phone and enter their PIN. And just like that the card data is handed over to the criminals, who can then drain the account or go on a shopping spree.

Reverse NFC relay is a more elaborate scheme. The scammer sends a malicious APK and convinces the victim to set this new app as their primary contactless payment method. The app generates an NFC signal that ATMs recognize as the scammerโ€™s card. The victim is then talked into going to an ATM with their infected phone to deposit cash into a โ€œsecure accountโ€. In reality, those funds go straight into the scammerโ€™s pocket.

We break both of these methods down in detail in our post, NFC skimming attacks.

NFC is also being leveraged to cash out cards after their details have been siphoned off through phishing websites. In this scenario, attackers attempt to link the stolen card to a mobile wallet on their own smartphone โ€” a scheme we covered extensively in NFC carders hide behind Apple Pay and Google Wallet.

The stir over VPNs

In many parts of the world, getting onto certain websites isnโ€™t as simple as it used to be. Some sites are blocked by local internet regulators or ISPs via court orders; others require users to pass an age verification check by showing ID and personal info. In some cases, sites block users from specific countries entirely just to avoid the headache of complying with local laws. Users are constantly trying to bypass these restrictions โ€”and they often end up paying for it with their data or cash.

Many popular tools for bypassing blocks โ€” especially free ones โ€” effectively spy on their users. A recent audit revealed that over 20 popular services with a combined total of more than 700 million downloads actively track user location. They also tend to use sketchy encryption at best, which essentially leaves all user data out in the open for third parties to intercept.

Moreover, according to Google data from November 2025, there was a sharp spike in cases where malicious apps are being disguised as legitimate VPN services to trick unsuspecting users.

The permissions that this category of apps actually requires are a perfect match for intercepting data and manipulating website traffic. Itโ€™s also much easier for scammers to convince a victim to grant administrative privileges to an app responsible for internet access than it is for, say, a game or a music player. We should expect this scheme to only grow in popularity.

Trojan in a box

Even cautious users can fall victim to an infection if they succumb to the urge to save some cash. Throughout 2025, cases were reported worldwide where devices were already carrying a Trojan the moment they were unboxed. Typically, these were either smartphones from obscure manufacturers or knock-offs of famous brands purchased on online marketplaces. But the threat wasnโ€™t limited to just phones; TV boxes, tablets, smart TVs, and even digital photo frames were all found to be at risk.

Itโ€™s still not entirely clear whether the infection happens right on the factory floor or somewhere along the supply chain between the factory and the buyerโ€™s doorstep, but the device is already infected before the first time itโ€™s turned on. Usually, itโ€™s a sophisticated piece of malware called Triada, first identified by Kaspersky analysts back in 2016. Itโ€™s capable of injecting itself into every running app to intercept information: stealing access tokens and passwords for popular messaging apps and social media, hijacking SMS messages (confirmation codes: ouch!), redirecting users to ad-heavy sites, and even running a proxy directly on the phone so attackers can browse the web using the victimโ€™s identity.

Technically, the Trojan is embedded right into the smartphoneโ€™s firmware, and the only way to kill it is to reflash the device with a clean OS. Usually, once you dig into the system, youโ€™ll find that the device has far less RAM or storage than advertised โ€” meaning the firmware is literally lying to the owner to sell a cheap hardware config as something more premium.

Another common pre-installed menace is the BADBOX 2.0 botnet, which also pulls double duty as a proxy and an ad-fraud engine. This one specializes in TV boxes and similar hardware.

How to go on using Android without losing your mind

Despite the growing list of threats, you can still use your Android smartphone safely! You just have to stick to some strict mobile hygiene rules.

  • Install a comprehensive security solution on all your smartphones. We recommend Kaspersky for Androidย to protect against malware and phishing.
  • Avoid sideloading apps via APKs whenever you can use an app store instead. A known app store โ€” even a smaller one โ€” is always a better bet than a random APK from some random website. If you have no other choice, download APK files only from official company websites, and double-check the URL of the page youโ€™re on. If you arenโ€™t 100% sure what the official site is, donโ€™t just rely on a search engine; check official business directories or at least Wikipedia to verify the correct address.
  • Read OS warnings carefully during installation. Donโ€™t grant permissions if the requested rights or actions seem illogical or excessive for the app youโ€™re installing.
  • Under no circumstances should you install apps from links or attachments in chats, emails, or similar communication channels.
  • Never tap your physical bank card against your phone. There is absolutely no legitimate scenario where doing this would be for your own benefit.
  • Do not enter your cardโ€™s PIN into any app on your phone. A PIN should only ever be requested by an ATM or a physical payment terminal.
  • When choosing a VPN, stick to paid ones from reputable companies.
  • Buy smartphones and other electronics from official retailers, and steer clear of brands youโ€™ve never heard of. Remember: if a deal seems too good to be true, it almost certainly is.

Other major Android threats from 2025:

IAM Identity Center now supports IPv6

26 January 2026 at 21:17

Amazon Web Services (AWS) recommends using AWS IAM Identity Center to provide your workforce access to AWS managed applicationsโ€”such as Amazon Q Developerโ€”and AWS accounts. Today, we announced IAM Identity Center support for IPv6. To learn more about the advantages of IPv6, visit the IPv6 product page.

When you enable IAM Identity center, it provides an access portal for workforce users to access their AWS applications and accounts either by signing in to the access portal using a URL or by using a bookmark for the application URL. In either case, the access portal handles user authentication before granting access to applications and accounts. Supporting both IPv4 and IPv6 connectivity to the access portal helps facilitate seamless access for clients, such as browsers and applications, regardless of their network configuration.

The launch of IPv6 support in IAM Identity Center introduces new dual-stack endpoints that support both IPv4 and IPv6, so that users can connect using IPv4, IPv6, or dual-stack clients. Current IPv4 endpoints continue to function with no action required. The dual stack capability offered by Identity Center extends to managed applications. When users access the application dual-stack endpoint, the application automatically routes to the Identity Center dual-stack endpoint for authentication. To use Identity Center from IPv6 clients, you must direct your workforce to use the new dual-stack endpoints, and update configurations on your external identity provider (IdP), if you use one.

In this post, we show you how to update your configuration to allow IPv6 clients to connect directly to IAM Identity Center endpoints without requiring network address translation services. We also show you how to monitor which endpoint users are connecting to. Before diving into the implementation details, letโ€™s review the key phases of the transition process.

Transition overview

To use IAM Identity Center from an IPv6 network and client, you need to use the new dual-stack endpoints. Figure 1 shows what the transition from IPv4 to IPv6 over dual-stack endpoints looks like when using Identity Center. The figure shows:

  • A before state where clients use the IPv4 endpoints.
  • The transition phase, when your clients use a combination of IPv4 and dual-stack endpoints.
  • After the transition is complete, your clients will connect to dual-stack endpoints using their IPv4 or IPv6, depending on their preferences.

Figure 1: Transition from IPv4-only to dual-stack endpoints

Figure 1: Transition from IPv4-only to dual-stack endpoints

Prerequisites

You must have the following prerequisites in place to enable IPv6 access for your workforce users and administrators:

  • An existing IAM Identity Center instance
  • Updated firewalls or gateways to include the new dual-stack endpoints
  • IPv6 capable clients and networks

Work with your network administrators to update the configuration of your firewalls and gateways and to verify that your clients, such as laptops or desktops, are ready to accept IPv6 connectivity. If you have already enabled IPv6 connectivity for other AWS services, you might be familiar with these changes. Next, implement the two steps that follow.

Step 1: Update your IdP configuration

You can skip this step If you donโ€™t use an external IdP as your identity source.

In this step, you update the Assertion Consumer Service (ACS) URL from your IAM Identity Center instance into your IdPโ€™s configuration for single sign-on and the SCIM configuration for user provisioning. Your IdPโ€™s capability determines how you update the ACS URLs. If your IdP supports multiple ACS URLs, configure both IPv4 and dual-stack URLs to enable a flexible transition. With that configuration, some users can continue using IPv4-only endpoints while others use dual-stack endpoints for IPv6. If your IdP supports only one ACS URL, to use IPv6 you must update the new dual-stack ACS URL in your IdP and transition all users to using dual-stack endpoints. If you donโ€™t use an external IdP, you can skip this step and go to the next step.

Update both the SAML single sign-on and the SCIM provisioning configurations:

  1. Update the single sign-on settings in your IdP to use the new dual-stack URLs. First, locate the URLs in the AWS Management Console for IAM Identity Center.
    1. Choose Settings in the navigation pane and then select Identity source.
    2. Choose Actions and select Manage authentication.
    3. in Under Manage SAML 2.0 authentication, you will find the following URLs under Service provider metadata:
      • AWS access portal sign-in URL
      • IAM Identity Center Assertion Consumer Service (ACS) URL
      • IAM Identity Center issuer URL
  2. If your IdP supports multiple ACS URLs, then add the dual-stack URL to your IdP configuration alongside existing IPv4 one. With this setting, you and your users can decide when to start using the dual-stack endpoints, without all users in your organization having to switch together.

    Figure 2: Dual-stack single sign-on URLs

    Figure 2: Dual-stack single sign-on URLs

  3. If your IdP does not support multiple ACS URLs, replace the existing IPv4 URL with the new dual-stack URL, and switch your workforce to use only the dual-stack endpoints.
  4. Update the provisioning endpoint in your IdP. Choose Settings in the navigation pane and under Identity source, choose Actions and select Manage provisioning. Under Automatic provisioning, copy the new SCIM endpoint that ends in api.aws. Update this new URL in your external IdP.

    Figure 3: Dual-stack SCIM endpoint URL

    Figure 3: Dual-stack SCIM endpoint URL

Step 2: Locate and share the new dual-stack endpoints

Your organization needs two kinds of URLs for IPv6 connectivity. The first is the new dual-stack access portal URL that your workforce users use to access their assigned AWS applications and accounts. The dual-stack access portal URL is available in the IAM Identity Center console, listed as the Dual-stack in the Settings summary (you might need to expand the Access portal URLs section, shown in Figure 4).

Figure 4: Locate dual-stack access portal endpoints

Figure 4: Locate dual-stack access portal endpoints

This dual-stack URL ends with app.aws as its top-level domain (TLD). Share this URL with your workforce and ask them to use this dual-stack URL to connect over IPv6. As an example, if your workforce uses the access portal to access AWS accounts, they will need to sign in through the new dual-stack access portal URL when using IPv6 connectivity. Alternately, if your workforce accesses the application URL, you need to enable the dual-stack application URL following application-specific instructions. For more information, see AWS services that support IPv6.

The URLs that administrators use to manage IAM Identity Center are the second kind of URL your organization needs. The new dual-stack service endpoints end in api.aws as their TLD and are listed in the Identity Center service endpoints. Administrators can use these service endpoints to manage users and groups in Identity Center, update their access to applications and resources, and perform other management operations. As an example, if your administrator uses identitystore.{region}.amazonaws.com to manage users and groups in Identity Center, they should now use the dual-stack version of the same service endpoint which is identitystore.{region}.api.aws, so they can connect to service endpoints using IPv6 clients and networks.

If your users or administrators use an AWS SDK to access AWS applications and accounts or manage services, follow Dual-stack and FIPS endpoints to enable connectivity to the dual-stack endpoints.

After completing these two steps, your workforce and administrators can connect to IAM Identity Center using IPv6. Remember, these endpoints also support IPv4, so clients not yet IPv6-capable can continue to connect using IPv4.

Monitoring dual-stack endpoint usage

You can optionally monitor AWS CloudTrail logs to track usage of dual-stack endpoints. The key difference between IPv4-only and dual-stack endpoint usage is the TLD and appears in the clientProvidedHostHeader field. The following example shows the difference between these CloudTrail events for the CreateTokenWithIAM API call.

IPv4-only endpoints Dual-stack endpoints
"CloudTrailEvent": {
  "eventName": "CreateToken",
  "tlsDetails": {
     "tlsVersion": "TLSv1.3",
     "cipherSuite": "TLS_AES_128_GCM_SHA256",
     "clientProvidedHostHeader": "oidc.us-east-1.amazonaws.com"
  }
}
"CloudTrailEvent": {
  "eventName": "CreateToken",
  "tlsDetails": {
     "tlsVersion": "TLSv1.3",
     "cipherSuite": "TLS_AES_128_GCM_SHA256",
     "clientProvidedHostHeader": "oidc.us-east-1.api.aws"
  }
}

Conclusion

IAM Identity Center now allows clients to connect over IPv6 natively with no network address translation infrastructure. This post showed you how to transition your organization to use IPv6 with Identity Center and its integrated applications. Remember that existing IPv4 endpoints will continue to function, so you can transition at your own pace. Also, no immediate action is required by you. However, we recommend planning your transition to take advantage of IPv6 benefits and meet compliance requirements. If you have questions, comments, or concerns, contactย AWS Support, or start a new thread in the IAM Identity Center re:Post channel.

ย 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
ย 

Suchintya Dandapat Suchintya Dandapat
Suchintya Dandapat is a Principal Product Manager for AWS where he partners with enterprise customers to solve their toughest identity challenges, enabling secure operations at global scale.

Updated PCI PIN compliance package for AWS CloudHSM now available

26 January 2026 at 19:11

Amazon Web Services (AWS) is pleased to announce the successful completion of Payment Card Industry Personal Identification Number (PCI PIN) audit for the AWS CloudHSM service.

With CloudHSM, you can manage and access your keys on FIPS 140-3 Level 3 validated hardware, protected with customer-owned, single-tenant hardware security module (HSM) instances that run in your own virtual private cloud (VPC). This PCI PIN attestation gives you the flexibility to deploy your regulated workloads with reduced compliance overhead. CloudHSM might be suitable when operations supported by the service are integrated into a broader solution that requires PCI-PIN compliance. For payment operations, such as PIN translation, we encourage you to consider AWS Payment Cryptography as a fully managed alternative for PCI-PIN compliance.

The PCI PIN compliance report package for AWS CloudHSM includes two key components:

  • PCI PIN Attestation of Compliance (AOC) โ€“ demonstrating that AWS CloudHSM was successfully validated against the PCI PIN standard with zero findings
  • PCI PIN Responsibility Summary โ€“ provides guidance to help AWS customers understand their responsibilities in developing and operating a highly secure environment for handling PIN-based transactions

AWS was evaluated by Coalfire, a third-party Qualified Security Assessor (QSA). Customers can access the PCI PIN Attestation of Compliance (AOC) and PCI PIN Responsibility Summary reports through AWS Artifact.

To learn more about our PCI program and other compliance and security programs, see the AWS Compliance Programs page. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Tushar Jain

Tushar Jain

Tushar is a Compliance Program Manager at AWS. He leads multiple security and privacy initiatives within AWS. Tushar holds a Master of Business Administration from Indian Institute of Management Shillong, India and a Bachelor of Technology in electronics and telecommunication engineering from Marathwada University, India. He has over 13 years of experience in information security and holds CCSK and CSXF certifications.

Will Black

Will Black

Will is a Compliance Program Manager at Amazon Web Services. He leads multiple security and compliance initiatives within AWS. He has ten years of experience in compliance and security assurance and holds a degree in Management Information Systems from Temple University. Additionally, he holds the CCSK and ISO 27001 Lead Implementer certifications.

Updated PCI PIN compliance package for AWS Payment Cryptography now available

24 January 2026 at 00:14

Amazon Web Services (AWS) is pleased to announce the successful completion of Payment Card Industry Personal Identification Number (PCI PIN) audit for the AWS Payment Cryptography service.

With AWS Payment Cryptography, your payment processing applications can use payment hardware security modules (HSMs) that are PCI PIN Transaction Security (PTS) HSM certified and fully managed by AWS, with PCI PIN-compliant key management. This attestation gives you the flexibility to deploy your regulated workloads with reduced compliance overhead.

The PCI PIN compliance report package for AWS Payment Cryptography includes two key components:

  • PCI PIN Attestation of Compliance (AOC) โ€“ demonstrating that AWS Payment Cryptography was successfully validated against the PCI PIN standard with zero findings
  • PCI PIN Responsibility Summary โ€“ provides guidance to help AWS customers understand their responsibilities in developing and operating a highly secure environment for handling PIN-based transactions

AWS was evaluated by Coalfire, a third-party Qualified Security Assessor (QSA). Customers can access the PCI PIN Attestation of Compliance (AOC) and PCI PIN Responsibility Summary reports through AWS Artifact.

To learn more about our PCI programs and other compliance and security programs, visit the AWS Compliance Programs page. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Compliance Support page.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Tushar Jain

Tushar Jain

Tushar is a Compliance Program Manager at AWS. He leads multiple security and privacy initiatives within AWS. Tushar holds a Master of Business Administration from Indian Institute of Management Shillong, India and a Bachelor of Technology in electronics and telecommunication engineering from Marathwada University, India. He has over 13 years of experience in information security and holds CCSK and CSXF certifications.

Will Black

Will Black

Will is a Compliance Program Manager at Amazon Web Services. He leads multiple security and compliance initiatives within AWS. He has ten years of experience in compliance and security assurance and holds a degree in Management Information Systems from Temple University. Additionally, he holds the CCSK and ISO 27001 Lead Implementer certifications.

AWS achieves 2025 C5 Type 2 attestation report with 183 services in scopeย 

23 January 2026 at 22:39

Amazon Web Services (AWS) is pleased to announce a successful completion of the 2025 Cloud Computing Compliance Criteria Catalogue (C5) attestation cycle with 183 services in scope. This alignment with C5 requirements demonstrates our ongoing commitment to adhere to the heightened expectations for cloud service providers. AWS customers in Germany and across Europe can run their applications in the AWS Regions that are in scope of the C5 report with the assurance that AWS aligns with C5 criteria.

The C5 attestation scheme is backed by the German government and was introduced by the Federal Office for Information Security (BSI) in 2016. AWS has adhered to the C5 requirements since their inception. C5 helps organizations demonstrate operational security against common cybersecurity threats when using cloud services.

Independent third-party auditors evaluated AWS for the period of October 1, 2024, through September 30, 2025. The C5 report illustrates the compliance status of AWS for both the basic and additional criteria of C5. Customers can download the C5 report through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console or learn more at Getting Started with AWS Artifact.

AWS has added the following five services to the current C5 scope:

The following AWS Regions are in scope of the 2025 C5 attestation: Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), Europe (Spain), Europe (Zurich), and Asia Pacific (Singapore). For up-to-date information, see the C5 page of our AWS Services in Scope by Compliance Program.

Security and compliance is a shared responsibility between AWS and the customer. When customers move their computer systems and data to the cloud, security responsibilities are shared between the customer and the cloud service provider. For more information, see the AWS Shared Security Responsibility Model.

To learn more about our compliance and security programs, see AWS Compliance Programs. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

Reach out to your AWS account team if you have questions or feedback about the C5 report.
If you have feedback about this post, submit comments in the Comments section below.

Tea Jioshvili

Tea Jioshvili

Tea is a Manager in AWS Compliance & Security Assurance based in Berlin, Germany. She leads various third-party audit programs across Europe. She previously worked in security assurance and compliance, business continuity, and operational risk management in the financial industry for 20 years.

Building Cyber Readiness Early: Why Youth Education Is a Security Necessity

23 January 2026 at 13:00

Cyber security is often framed as a problem for enterprises, governments, and seasoned professionals. But by the time organizations begin searching for talent, the damage has often already been done. Threat actors donโ€™t wait for workforce pipelines to catch up and our approach to cyber security education shouldnโ€™t either. Todayโ€™s digital threats target schools, hospitals, municipalities, and small businesses just as aggressively as large enterprises. Ransomware attacks shut down classrooms. Phishing campaigns exploit young users as easily as experienced employees. Yet cyber security education is still treated as a late-stage specialization, introduced only when individuals enter the workforce or pursue [โ€ฆ]

The post Building Cyber Readiness Early: Why Youth Education Is a Security Necessity appeared first on Check Point Blog.

What the Alien Franchise Taught Me About Cybersecurity

22 January 2026 at 19:10

How Ripley's Fight for Survival Became My Blueprint for SOC Transformation

I'll admit it. I wasn't planning to rewatch science fiction horror films when I sat down to write about modern cybersecurity challenges. But there I was, staring at yet another draft about SOC modernization when our content team threw out a wild idea: What if we explained threat actors through the lens of a Science Fiction movie like Alien?

Yo, Hicks. I think we got something here!

Against my better judgment, I queued up the original 1979 film. Somewhere between the chest-burster scene and Ripley's desperate attempt to purge the Nostromo's systems, it hit me: This crew had every problem a modern security operations center faces daily.

Stay with me here.

The Unknown Threat Aboard Your Ship

In the original Alien, the crew of the Nostromo responds to what they think is a distress signal. Spoiler alert: It's not. By the time they realize they've brought something deadly aboard, it's already loose in the ship's ventilation system, moving freely through areas they can't monitor.

Sound familiar? That's exactly how modern breaches unfold. Threat actors don't announce themselves with flashing lights and alarm bells. They exploit a vulnerability, establish a foothold, and move laterally through your environment while remaining undetected. According toย recent Unit 42ยฎ research, the mean time to exfiltrate has dropped from nine days in 2021 to just two days in 2023. Some incidents now occur in under 30 minutes. The xenomorph's (the alienโ€™s) rapid lifecycle has nothing on modern ransomware operators.

The Nostromo crew's problem wasn't just the alien. It was that their ship's systems couldn't tell them where the threat actually was. Their motion trackers picked up movement, but couldn't distinguish between crew members, the cat or the xenomorph. Legacy SIEM systems have the same problem, generating thousands of alerts without the context to determine which ones represent actual threats.

"I Can't Lie About Your Chances, But You Have My Sympathies"

One of the most chilling moments in Alien comes when Ash, the science officer, reveals he's actually a synthetic programmed by the company to prioritize retrieving the alien specimen over crew survival. "I can't lie to you about your chances, but... you have my sympathies."

This is what alert fatigue feels like in a modern SOC.

Security teams face an overwhelming reality:

Like the Nostromo crew discovering their systems were working against them, security analysts often find their tools generate more noise than signal. Traditional SIEMs bombard teams with redundant alerts while real threats slip through undetected. Analysts spend their days triaging false positives instead of hunting actual threats. Basically, theyโ€™re sorting through motion tracker pings while the xenomorph stalks the corridors.

The Company Knew (And Your Attack Surface Knows Too)

From Aliens (the 1986 sequel), we learn that the Weyland-Yutani Corporation knew about the xenomorph threat all along. They had information about LV-426, but that intelligence never reached the colonists who needed it. The result? An entire colony was lost because critical threat intelligence wasn't properly shared and acted upon.

This is the attack surface management problem in a nutshell.

You can't protect what you can't see. Like the colonial marines arriving at LV-426 with incomplete intelligence, security teams often lack comprehensive visibility across their cloud environments, hybrid infrastructures and sprawling IoT deployments.

Modern attack surface management addresses this:

  • Providing continuous assessment of your external attack surface.
  • Identifying abandoned, rogue or misconfigured assets before attackers find them.
  • Monitoring for vulnerable systems proactively.
  • Unifying visibility across network, endpoint, cloud and identity.

Think of it as having the schematics and sensor data Ripley desperately needed โ€“ a complete picture of where threats could hide and how they might move through your environment.

The Power Loader Moment: Amplifying Human Response with Automation

In the climactic scene of Aliens, Ripley straps into a power loader exosuit to fight the alien queen. She's still human, still making the decisions, but now she's augmented with technology that amplifies her capabilities and response speed.

This is exactly what AI-driven security operations should do.

Legacy SIEM is like facing the xenomorph queen with your bare hands. Modern AI-driven platforms are the power loader, they don't replace the human operator, but they dramatically amplify what that human can accomplish.

Platforms like Cortex XSIAMยฎ can process over 1 million events per second while reducing the number of incidents requiring human investigation to single digits per day. The technology handles the heavy lifting:

  • Automated data integration and normalization across all security tools
  • Machine learning models that detect anomalies in user behavior
  • Intelligent alert correlation that groups related events into single incidents
  • Automated response workflows that contain threats in minutes, not hours

Organizations using AI-driven SOC platforms report automating up to 98% of Tier 1 operations. Your analysts still make the critical decisions, they're just equipped with vastly better tools to execute those decisions at machine speed.

The Danger of Fragmented Systems

Throughout the Alien franchise, crew members are constantly struggling with fragmented information. The motion tracker shows movement, but not identity. The door controls are on a different system than life support. Communications are spotty. When seconds count, they're wasting precious time switching between systems and trying to piece together incomplete information.

This is the daily reality in most security operations centers.

The same attack generates alerts in multiple interfaces: your SIEM, EDR console, cloud security platform, identity provider. Itโ€™s like seeing the xenomorph's tail in one system, hearing its hiss in another, and detecting acid blood in a third, but never getting the full picture until it's too late.

The engineering challenge isn't just buying better sensors. It's creating a unified data foundation where security-relevant information is collected, stored and normalized together. When all your security data lives in a single data lake, AI models can recognize patterns that would never surface in siloed systems. Itโ€™s like understanding that the motion tracker ping, the door malfunctioning and the broken steam pipe are all connected to the same threat.

What this unified approach enables:

  • Cross-data analytics that correlate threats across different data sources.
  • Complete context of an attack from initial entry to lateral movement.
  • Automated response that addresses root causes, not just symptoms.
  • Seamless collaboration between SOC analysts, threat hunters and incident responders.

"Nuke It From Orbit! It's the Only Way to Be Sure"

In Aliens, the solution to an overwhelming infestation is drastic: orbital bombardment. While we don't recommend that approach for cybersecurity (your compliance team will object), there's a lesson here about the importance of decisive, automated response.

When the colonial marines discover the scope of the xenomorph infestation, their problem isn't just detection, it's that their response capabilities can't match the threat's speed and scale. By the time they've cleared one corridor, the aliens have flanked them through the ceiling.

Modern threats move at similar speeds. Attackers can pivot from initial compromise to data exfiltration faster than human analysts can investigate and coordinate responses across multiple tools. This is where automation becomes essential, not as a replacement for human judgment, but as the mechanism that executes decisions at the speed threats actually move.

The key is having the right response capabilities:

  • Fast enough to outpace attacker movement.
  • Comprehensive enough to address root causes.
  • Automated enough to execute without human bottlenecks.
  • Intelligent enough to avoid collateral damage.

You don't need to nuke your network from orbit. You need response automation that contains threats before they spread.

The Survivor (And Why Human Expertise Still Matters)

Ellen Ripley survives the Alien franchise through a combination of factors: technical competence, situational awareness, decisive action and refusal to give up. But here's what's critical. She's effective not because she's superhuman, but because she's highly trained, learns from experience, and adapts her approach as threats evolve.

The same principles apply to security operations.

AI and automation dramatically improve efficiency and response times, but skilled security professionals remain essential. The goal isn't to replace analysts. It's to free them from repetitive tasks so they can focus on what humans do best: creative problem-solving, threat hunting, strategic thinking.

The cybersecurity labor shortage continues to grow, and analysts experience burnout from manual processes that consume time better spent on high-value activities. Modern platforms address this by automating routine work while augmenting human decision-making. Instead of spending hours manually correlating events and switching between consoles, analysts receive high-fidelity incidents with complete context.

Ripley didn't survive because she had the best equipment (though the power loader helped). She survived because she understood the threat, adapted her tactics, and made smart decisions under pressure. Your security team needs the same combination: World-class tools that amplify their capabilities and free them to do the strategic thinking that actually stops sophisticated threats.

What Ripley Would Do With Modern SecOps

Imagine what the Nostromo crew could have done if they had access to modern security operations technology:

  • Detected the alien's presence immediately through behavioral analytics instead of relying on motion trackers.
  • Tracked its movement through integrated sensor data across the entire ship.
  • Automatically sealed compartments and adjusted life support to contain the threat.
  • Had complete visibility into every system, eliminating hiding spots and blind spots.

Your organization shouldn't face threats with 1970s technology while attackers use 2025 capabilities. The evolution from traditional log management to AI-driven security operations isn't just about buying new tools. It's about fundamentally transforming how your security team operates, moving from reactive alert management to proactive threat hunting, from fragmented tools to unified platforms, from manual response to intelligent automation.

The xenomorph was a perfect organism: efficient, deadly, focused solely on survival and reproduction. Modern threat actors are similarly evolved, using AI and automation to attack at machine speed. Your defenses need to match that evolution.

In Space, No One Can Hear You Scream, But Your SOC Platform Can

Modern security operations require more than collecting logs and hoping someone notices the anomalies. You need unified visibility, AI-driven analytics and automated response capabilities that can keep pace with threats that move at the speed of code.

Whether you're drowning in alerts, struggling with tool sprawl, or trying to defend against attackers moving faster than human reaction times, there's a better way forward. And unlike the Nostromo crew, you don't have to face it alone with outdated equipment and fragmented systems.

Just comprehensive security, delivered at the speed of AI.

Because in cybersecurity, everyone can hear you scream when your SIEM fails. The question is whether your security operations platform can stop the threat before it gets that far.

Take the Next Step

If you're ready to move from fragmented tools to unified security operations, download our whitepaper, Endpoint First: Charting the Course to AI-Driven Security Operations to break down the practical steps to get there.


Key Takeaways

  1. Stop Drowning in Alerts (AKA: Your SIEM Shouldn't Feel Like a Motion Tracker): Legacy Security Information and Event Management (SIEM) systems generate thousands of alerts without the necessary context. The modern approach requires moving past redundant alerts to a system that can accurately distinguish between noise and actual threats, a necessity driven by the rapidly decreasing time attackers take to exfiltrate data.
  2. Get the Full Ship Schematics (Because You Can't Fight What You Can't See): Many organizations lack comprehensive visibility across their environments (cloud, hybrid, IoT). A unified approach, which includes continuous attack surface management and a single data foundation, is essential to connect disparate alerts and gain a complete picture of an attack across all security tools.
  3. Give Your Analysts a Power Loader (Not a Pink Slip): AI-driven security operations (SecOps) platforms do not replace human analysts but dramatically amplify their capabilities and response speed, enabling automated data integration, intelligent alert correlation and rapid response workflows to contain threats at "machine speed" before human bottlenecks are reached.

The post What the Alien Franchise Taught Me About Cybersecurity appeared first on Palo Alto Networks Blog.

Attackers Continue to Target Trusted Collaboration Platforms: 12,000+ Emails Target Teams Users

22 January 2026 at 13:00

Overview This report describes a phishing campaign in which attackers abuse Microsoft Teams functionality to distribute phishing content that appears to originate from legitimate Microsoft services. The attack leverages guest invitations and phishing-themed team names to impersonate billing and subscription notifications, encouraging victims to contact a fraudulent support phone number. Campaign scale Total phishing messages: 12,866 Daily average: 990 Affected customers: 6,135 Method of attack The attacker begins by creating a new team in Microsoft Teams and assigning it a malicious, finance-themed name designed to resemble an urgent billing or subscription notice. An example of the naming pattern observed includes [โ€ฆ]

The post Attackers Continue to Target Trusted Collaboration Platforms: 12,000+ Emails Target Teams Users appeared first on Check Point Blog.

Why Exposure Management Is Becoming a Security Imperative

21 January 2026 at 13:00

Of course, organizations see risk. Itโ€™s just that they struggle to turn insight into timely, safe action. That gap is why exposure management has emerged, and also why it is now becoming a foundational security discipline. What the diagram makes clear is that risk doesnโ€™t stay flat while organizations deliberate. From the moment an exposure is discovered and is reachable, exploitable, and known โ€“ the clock starts ticking. As time passes, environments change, dependencies grow, and attackers adapt faster. Remediation workflows fall behind. Manual coordination, unclear ownership, and fear of disruption all extend what is increasingly referred to as โ€˜exposure [โ€ฆ]

The post Why Exposure Management Is Becoming a Security Imperative appeared first on Check Point Blog.

โŒ