Users of Meta's WhatsApp messenger looking to simplify the process of protecting themselves are in luck, as the company is rolling out a new feature that combines multiple security settings under a single, toggleable option.Β β¦
U.S. Homeland Security Secretary Kristi Noem last week posted a photo of the arrest of Nekima Levy Armstrong, one of three activists who had entered a St. Paul, Minn. church to confront a pastor who also serves as acting field director of the St Paul Immigration and Customs Enforcement (ICE) office.Β
A short while later, the White House posted the same photo β except that version had been digitally altered to darken Armstrongβs skin and rearrange her facial features to make it appear she was sobbing or distraught. The GuardianΒ one of many media outlets to report on this image manipulation, created a handy slider graphic to help viewers see clearly how the photo had been changed. Β
This isnβt about βowning the libsβ β this is the highest office in the nation using technology to lie to the entire world.Β
The New York Times reported it had run the two images through Resemble.AI, an A.I. detection system, which concluded Noemβs image was real but the White Houseβs version showed signs of manipulation. "The Times was able to create images nearly identical to the White Houseβs version by asking Gemini and Grok β generative A.I. tools from Google and Elon Muskβs xAI start-up β to alter Ms. Noemβs original image."Β
Most of us can agree that the government shouldnβt lie to its constituents. We can also agree that good government does not involve emphasizing cruelty or furthering racial biases. But this abuse of technology violates both those norms.Β
βAccuracy and truthfulness are core to the credibility of visual reporting,β the National Press Photographers Association said in a statement issued about this incident. βThe integrity of photographic images is essential to public trust and to the historical record. Altering editorial content for any purpose that misrepresents subjects or events undermines that trust and is incompatible with professional practice.βΒ
This isnβt about βowning the libsβ β this is the highest office in the nation using technology to lie to the entire world.
Reworking an arrest photo to make the arrestee look more distraught not only is a lie, but itβs also a doubling-down on a βthe cruelty is the pointβ manifesto. Using a manipulated image further humiliates the individual and perpetuate harmful biases, and the only reason to darken an arresteeβs skin would be to reinforce colorist stereotypes and stoke the flames of racial prejudice, particularly against dark-skinned people. Β
History is replete with cruel and racist images as propaganda: Think of Nazi Germanyβs cartoons depicting Jewish people, or contemporaneously, U.S. cartoons depicting Japanese people as we placed Japanese-Americans in internment camps. Time magazine caught hell in 1994 for using an artificially darkened photo of O.J. Simpson on its cover, and several Republican politcal campaigns in recent years have been called out for similar manipulation in recent years.Β
But in an age when we can create or alter a photo with a few keyboard strokes, when we can alter what viewers think is reality so easily and convincingly, the danger of abuse by government is greater. Β Β
Had the Trump administration not ham-handedly released the retouched perp-walk photo after Noem had released the original, we might not have known the reality of that arrest at all. This dishonesty is all the more reason why Americansβ right to record law enforcement activities must be protected. Without independent records and documentation of whatβs happening, thereβs no way to contradict the governmentβs lies.Β
This incident raises the question of whether the Trump Administration feels emboldened to manipulate other photos for other propaganda purposes. Does it rework photos of the President to make him appear healthier, or more awake? Does it rework military or intelligence images to create pretexts for war? Does it rework photos of American citizens protesting or safeguarding their neighbors to justify a military deployment?Β
In this instance, like so much of todayβs political trolling, thereβs a good chance itβll be counterproductive for the trolls: The New York Times correctly noted that the doctored photograph could hinder the Armstrongβs right to a fair trial. βAs the case proceeds, her lawyers could use it to accuse the Trump administration of making what are known as improper extrajudicial statements. Most federal courts bar prosecutors from making any remarks about court filings or a legal proceeding outside of court in a way that could prejudice the pool of jurors who might ultimately hear the case.β They also could claim the doctored photo proves the Justice Department bore some sort of animus against Armstrong and charged her vindictively.Β
In the past, we've urged caution when analyzing proposals to regulate technologies that could be used to create false images. In those cases, we argued that any new regulation should rely on the established framework for addressing harms caused by other forms of harmful false information. But in this situation, it is the government itself that is misusing technology and propagating harmful falsehoods. This doesn't require new laws; the government can and should put an end to this practice on its own.Β
Any reputable journalism organization would fire an employee for manipulating a photo this way; many have done exactly that. Itβs a shame our government canβt adhere to such a basic ethical and moral code too.Β
ShinyHunters says it stole several slices of data from Panera Bread, but that's just the yeast of everyone's problems. The extortionist gang also claims to have stolen data from CarMax and Edmunds, in addition to three other organizations it posted to its blog last week.β¦
A coworker shared this suspicious SMS where AT&T supposedly warns the recipient that their reward points are about to expire.
Phishing attacks are growing increasingly sophisticated, likely with help from AI. Theyβre getting better at mimicking major brandsβnot just in look, but in behavior. Recently, we uncovered a well-executed phishing campaign targeting AT&T customers that combines realistic branding, clever social engineering, and layered data theft tactics.
In this post, weβll walk you through the investigation, screen by screen, explaining how the campaign tricks its victims and where the stolen data ends up.
This is the text message that started the investigation.
βDear Customer,
Your AT&T account currently holds 11,430 reward points scheduled to expire on January 26, 2026.
Recommended redemption methods:
β AT&T Rewards Center: {Shortened link}
β AT&T Mobile App: Rewards section
AT&T is dedicated to serving you.β
The shortened URL led to https://att.hgfxp[.]cc/pay/, a website designed to look like an AT&T site in name and appearance.
All branding, headers, and menus were copied over, and the page was full of real links out to att.com.
But the βmain eventβ was a special section explaining how to access your AT&T reward points.
After βverifyingβ their account with a phone number, the victim is shown a dashboard warning that their AT&T points are due to expire in two days. This short window is a common phishing tactic that exploits urgency and FOMO (fear of missing out).
The rewards on offerβsuch as Amazon gift cards, headphones, smartwatches, and moreβare enticing and reinforce the illusion that the victim is dealing with a legitimate loyalty program.
To add even more credibility, after submitting a phone number, the victim gets to see a list of available gifts, followed by a final confirmation prompt.
At that point, the target is prompted to fill out a βDelivery Informationβ form requesting sensitive personal information, including name, address, phone number, email, and more. This is where the actual data theft takes place.
The formβs visible submission flow is smooth and professional, with real-time validation and error highlightingβjust like youβd expect from a top brand. This is deliberate. The attackers use advanced front-end validation code to maximize the quality and completeness of the stolen information.
Behind the slick UI, the form is connected to JavaScript code that, when the victim hits βContinue,β collects everything theyβve entered and transmits it directly to the attackers. In our investigation, we deobfuscated their code and found a large βdataβ section.
The stolen data gets sent in JSON format via POST to https://att.hgfxp[.]cc/api/open/cvvInterface.
This endpoint is hosted on the attackerβs domain, giving them immediate access to everything the victim submits.
A number of red flags could have alerted the target that this was a phishing attempt:
Beyond avoiding unsolicited links, here are a few ways to stay safe:
Pro tip: Malwarebytes Scam Guard recognized this text as a scam.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Chinese state-linked hackers are accused of spending years inside the phones of senior Downing Street officials, exposing private communications at the heart of the UK government.β¦
The startup will use the investment to fuel global expansion of its agentless platform, including in Latin America.
The post Memcyco Raises $37 Million for Anti-Impersonation Technology appeared first on SecurityWeek.
Domains set up by the threat actor suggest attacks aimed at Atlassian, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, and WeWork.
The post Over 100 Organizations Targeted in ShinyHunters Phishing Campaign appeared first on SecurityWeek.
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.
In this blog post, we provide details on CVE-2025-8088 and the typical exploit chain, highlight exploitation by financially motivated and state-sponsored espionage actors, and provide IOCs to help defenders detect and hunt for the activity described in this post.
To protect against this threat, we urge organizations and users to keep software fully up-to-date and to install security updates as soon as they become available. After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage. We also recommend the use of Google Safe Browsing and Gmail, which actively identifies and blocks files containing the exploit.
CVE-2025-8088 is a high-severity path traversal vulnerability in WinRAR that attackers exploit by leveraging Alternate Data Streams (ADS). Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system. Exploitation of this vulnerability in the wild began as early as July 18, 2025, and the vulnerability was addressed by RARLAB with the release of WinRAR version 7.13 shortly after, on July 30, 2025.
The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. While the user typically views a decoy document (such as a PDF) within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data.
The payload is written with a specially crafted path designed to traverse to a critical directory, frequently targeting the Windows Startup folder for persistence. The key to the path traversal is the use of the ADS feature combined with directory traversal characters.Β
For example, a file within the RAR archive might have a composite name like innocuous.pdf:malicious.lnk combined with a malicious path: ../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk.Β
When the archive is opened, the ADS content (malicious.lnk) is extracted to the destination specified by the traversal path, automatically executing the payload the next time the user logs in.
Multiple government-backed actors have adopted the CVE-2025-8088 exploit, predominantly focusing on military, government, and technology targets. This is similar to the widespread exploitation of a known WinRAR bug in 2023, CVE-2023-38831, highlighting that exploits for known vulnerabilities can be highly effective, despite a patch being available.
Figure 1: Timeline of notable observed exploitation
Suspected Russia-nexus threat groups are consistently exploiting CVE-2025-8088 in campaigns targeting Ukrainian military and government entities, using highly tailored geopolitical lures.
Figure 2: Ukrainian language decoy document from UNC4895 campaign
APT44 (FROZENBARENTS): This Russian APT group exploits CVE-2025-8088 to drop a decoy file with a Ukrainian filename, as well as a malicious LNK file that attempts further downloads.
TEMP.Armageddon (CARPATHIAN): This actor, also targeting Ukrainian government entities, uses RAR archives to drop HTA files into the Startup folder. The HTA file acts as a downloader for a second stage. The initial downloader is typically contained within an archive packed inside an HTML file. This activity has continued through January 2026.
Turla (SUMMIT): This actor adopted CVE-2025-8088 to deliver the STOCKSTAY malware suite. Observed lures are themed around Ukrainian military activities and drone operations.
A PRC-based actor is exploiting the vulnerability to deliver POISONIVY malware via a BAT file dropped into the Startup folder, which then downloads a dropper.
Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets.
A group that has targeted entities in Indonesia using lure documents used this vulnerability to drop a .cmd file into the Startup folder. This script then downloads a password-protected RAR archive from Dropbox, which contains a backdoor that communicates with a Telegram bot command and control.
A group known for targeting the hospitality and travel sectors, particularly in LATAM, is using phishing emails themed around hotel bookings to eventually deliver commodity RATs such as XWorm and AsyncRAT.
A group targeting Brazilian users via banking websites delivered a malicious Chrome extension that injects JavaScript into the pages of two Brazilian banking sites to display phishing content and steal credentials.
In December and January 2026, we have continued to observe malware being distributed by cyber crime exploiting CVE-2025-8088, including commodity RATS and stealers.Β
The widespread use of CVE-2025-8088 by diverse actors highlights the demand for effective exploits. This demand is met by the underground economy where individuals and groups specialize in developing and selling exploits to a range of customers. A notable example of such an upstream supplier is the actor known as "zeroplayer," who advertised a WinRAR exploit in July 2025.Β
The WinRAR vulnerability is not the only exploit in zeroplayerβs arsenal. Historically, and in recent months, zeroplayer has continued to offer other high-priced exploits that could potentially allow threat actors to bypass security measures. The actorβs advertised portfolio includes the following among others:
In November 2025, zeroplayer claimed to have a sandbox escape RCE zero-day exploit for Microsoft Office advertising it for $300,000.Β
In late September 2025, zeroplayer advertised a RCE zero-day exploit for a popular, unnamed corporate VPN provider; the price for the exploit was not specified.
Starting in mid-October 2025, zeroplayer advertised a zero-day Local Privilege Escalation (LPE) exploit for Windows listing its price as $100,000.
In early September 2025, zeroplayer advertised a zero-day exploit for a vulnerability that exists in an unspecified drive that would allow an attacker to disable antivirus (AV) and endpoint detection and response (EDR) software; this exploit was advertised for $80,000.
zeroplayerβs continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle. By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivationsβfrom ransomware deployment to state-sponsored intelligence gatheringβto leverage a diverse set of capabilities.
The widespread and opportunistic exploitation of CVE-2025-8088 by a wide range of threat actors underscores its proven reliability as a commodity initial access vector. It also serves as a stark reminder of the enduring danger posed by n-day vulnerabilities. When a reliable proof of concept for a critical flaw enters the cyber criminal and espionage marketplace, adoption is instantaneous, blurring the line between sophisticated government-backed operations and financially motivated campaigns. This vulnerabilityβs rapid commoditization reinforces that a successful defense against these threats requires immediate application patching, coupled with a fundamental shift toward detecting the consistent, predictable post-exploitation TTPs.
To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI Collection for registered users.
|
Filename |
SHA-256 |
|
1_14_5_1472_29.12.2025.rar |
|
|
2_16_9_1087_16.01.2026.rar |
|
|
5_18_6_1405_25.12.2025.rar |
|
|
2_13_3_1593_26.12.2025.rar |
|
|
5_18_6_1028_25.12.2025.rar |
|
|
2_12_7_1662_26.12.2025.rar |
|
|
1_11_4_1742_29.12.2025.rar |
|
|
2_18_3_1468_16.01.2026.rar |
|
|
1_16_2_1428_29.12.2025.rar |
|
|
1_12_7_1721_29.12.2025.rar |
|
| N/A |
|
|
1_15_7_1850_29.12.2025.rar |
|
|
2_16_2_1526_26.12.2025.rar |
|
| N/A |
|
|
ΠΏΡΠ΄ΡΠ²Π΅ΡΠ΄ΠΆΡΡΡΡ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈ.pdf |
|
|
Desktop_Internet.lnk |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
| N/A |
|
|
3-965_26.09.2025.HTA |
|
|
ΠΠ°ΡΠ²Π° ΠΏΡΠΎ ΡΠΊΠΎΡΠ½Π½Ρ Π·Π»ΠΎΡΠΈΠ½Ρ 3-965_26.09.2025.rar |
|
|
Proposal_for_Cooperation_3415.05092025.rar |
|
| N/A |
|
| N/A |
|
|
document.rar |
|
|
update.bat |
|
|
ocean.rar |
|
|
expl.rar |
|
|
BrowserUpdate.lnk |
|
The protections against NPM supply chain attacks could be bypassed, leading to arbitrary code execution.
The post βPackageGateβ Flaws Open JavaScript Ecosystem to Supply Chain Attacks appeared first on SecurityWeek.
France has officially told Zoom, Teams, and the rest of the US videoconferencing herd to take a hike in favor of its own homegrown app.β¦
Categories: Sophos Insights
Tags: Identity Security, MFA, Sophos ITDR
Categories: Threat Research
Tags: Microsoft Office, vulnerability, advisory
Categories: Sophos Insights
Tags: Sophos AI, Gen AI, Year in Review
Quantum computers are coming, with a potential computing power almost beyond comprehension.
The post Cyber Insights 2026: Quantum Computing and the Potential Synergy With Advanced AI appeared first on SecurityWeek.
Marketed as ChatGPT enhancement and productivity tools, the extensions allow the threat actor to access the victim's ChatGPT data.
The post Chrome, Edge Extensions Caught Stealing ChatGPT Sessions appeared first on SecurityWeek.
UpdatedΒ Microsoft illegally installed cookies on a school pupil's devices without consent, according to a ruling by the Austrian data protection authority (DSB).β¦
Login
