Researchers have analyzed a new Android banking Trojan called Rokarolla. It can effectively take over a device, steal banking and crypto login details from more than 200 apps, and quietly monitor much of what you do on your phone.
On an infected device, Rokarolla steals banking and crypto login details. It also uses fake lock-screen overlays to capture your PIN, pattern, or password.
When you open one of the banking or crypto apps on Rokarolla’s target list, the malware downloads and displays a matching fake login page over the real app. Anything you type into the fake page, including usernames, passwords, and card numbers, is sent to the attackers.
Separately, Rokarolla abuses Android’s Accessibility features to monitor activity across the device. It can recognize WhatsApp screens by looking for familiar labels such as “Chats” and “Calls,” extract contact information, read SMS messages, and send new ones. These capabilities can help it intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes.
Rokarolla can take control of text messages and phone calls, helping it block security alerts and hide signs of fraud.
It can also record everything you type and see on the screen. If you copy and paste a cryptocurrency wallet address, the malware can secretly replace it with one belonging to the attackers.
Other features help the malware stay hidden, including the ability to hide its icon, silence the device, turn off Google Play Protect, and prevent the screen from going to sleep.
How it spreads
Rokarolla is distributed through rogue websites, where it is offered as fake versions of popular apps like TikTok or Chrome.
Malwarebytes blocks the download site
Instead of sending you to the official Google Play Store, these malicious sites push you to download the app directly, a process known as sideloading. After you install it, the fake app poses as Google Play Protect and quietly downloads and installs the malware that carries out the attack.
To gain the access it needs, the fake app asks for powerful permissions, including Accessibility access, the permission to read SMS messages, and access to notifications. Because these requests can look legitimate, many users may approve them without realizing the risks.
How to stay safe
To avoid banking Trojans like Rokarolla, there are a few guidelines you should follow:
Don’t trust apps that claim to be Google Play Protect or another system component. You should never need to install these manually.
Don’t sideload apps that are available on the Google Play Store. While malware can sometimes slip into official stores, the risk is much greater elsewhere.
Deny powerful permissions to apps downloaded from links or websites, especially if they ask for Accessibility access, SMS permissions, or the ability to handle calls, even though that doesn’t match their stated purpose.
In fact, any request for Accessibility access should be treated with caution. If an app that is not clearly an accessibility tool asks for it, deny the request and reconsider whether you trust the source.
Scrutinize banking and crypto login screens. If something looks off, or you see multiple login prompts, close the app and relaunch it from its official icon.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online.
The collection was exposed on the internet before being taken offline. While researchers can’t confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.
What happened?
Researchers at Cybernews found a publicly exposed database holding more than 8.3 TB of data.
The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.
Because the data came from different sources there are some differences in what the records contain and how they are organized.
Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Infostealers are a type of malware designed to steal sensitive information from infected devices, such as your home computer.
An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass multi-factor authentication), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.
Roughly 1.7 billion of the records came from hacking-related Telegram channels, mainly English and Russian, including at least one that was focused on stolen credit card data.
The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.
Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.
This newly discovered 24 billion record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.
Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk. And we still don’t know the purpose for the data collection in the first place.
What to do now
It’s good to be aware of how much information about you is out there and who’s gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.
2. If you discover exposed passwords, change them immediately and make sure you aren’t reusing the same password across multiple accounts. Prioritize updating your important accounts such as email, banking, shopping, and social media accounts.
3. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.
How to protect your data
Infostealers often spread through malicious ads, fake browser updates, and one-click downloads. Avoid clicking sponsored ads, and instead visit official websites directly. Download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand what they do.
Pirated software, game cheats, cracked tools, and shady browser extensions remain common sources of infostealer infections. Stick to reputable software and extensions, and be wary of anything asking for excessive permissions.
Lastly, phishing emails are still a major threat. Be cautious of unexpected attachments, links, and urgent requests. If you’re unsure whether a message is legitimate, verify it through the company’s official website rather than the link in the message.
You can also use Malwarebytes Scam Guard to check individual messages. Just upload a screenshot and we’ll let you know if it’s a scam.
Breaches happen every day. Don’t be the last to know.
Cardiac monitoring provider iRhythm has been hit by a data theft followed by an extortion attempt.
In a filing with the Securities and Exchange Commission (SEC), iRhythm revealed it was contacted by someone on June 9 who claimed to have stolen sensitive information, including proprietary data, patient PHI, and other personal information. That person demanded payment in exchange for not publishing the data.
iRhythm provides ambulatory cardiac monitoring and analysis (for example using the Zio patch) and has reportedly processed over two billion hours of heartbeat data from more than twelve million patients.
In the filing, the company said the data was obtained through social engineering and is from “certain third-party-hosted business applications”, without revealing any further details about the amount of data.
On its own website, iRhythm also doesn’t disclose much about the nature of the stolen data, but does seem to imply no financial data was affected:
“We have not identified any impact to our products, our clinical or medical device systems, our connections to customers, our manufacturing and distribution operations, patient safety, or our ability to meet patient needs. In addition, we do not store or retain individual financial account information or payment card information.
As we actively investigate, we will notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.“
However, the SEC filing adds that iRhythm determined that the incident is significant, “in light of the volume of the potentially affected data.” Together with the extortionist’s claims that they have patients’ medical data, that makes the breach one worth noting if you have used iRhythm’s services.
Even without payment data, healthcare breaches have serious downstream effects:
Attackers can craft highly convincing emails, texts, or calls that reference specific procedures or monitoring episodes (for example, “about your recent Zio patch recording”) to trick patients into sharing more data or paying fake bills.
The breached data can be used to create a fake identity, insurance fraud, or medical identity theft.
Exposure of cardiac and other health‑related information can be deeply sensitive and may have employment/insurance ramifications, especially if data is posted publicly or sold to data brokers.
Healthcare breach data tends to circulate for years, and victims may face sporadic fraud and phishing attempts long after the headlines fade.
How to stay safe
If you’ve used iRhythm’s services, keep an eye on your post, email, and patient portals for official breach notifications from iRhythm or your healthcare provider.
In the US, breaches of protected health information that meet certain criteria must be reported to patients and regulators. iRhythm has promised to “notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.”
To stay out of the hands of phishers and scammers:
When you receive a communication about the data breach, verify through other channels that it really came from iRhythm. Go directly to iRhythm’s official website or patient portal, or call a known phone number to confirm the communication is genuine.
Be extra suspicious of emails or texts that claim to offer compensation, refunds, or other financial consequences related to this incident.
Change passwords for your iRhythm‑linked portals and your cardiology or hospital patient portals, especially if you reused those passwords elsewhere.
Log into your health insurer’s portal and check claims on a regular basis.
If you see anything suspicious, report it immediately to your insurer and provider and ask them to flag your account for possible identity theft.
Do not provide personal or financial information over the phone just because the caller knows details about you which they may have obtained from the stolen data.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.
The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.
According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.
The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.
The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.
They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.
The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.
Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.
Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.
Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.
Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.
How prevalent are deepfakes?
These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.
Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.
What you can do
If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.
Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.
Take advantage of expert advice to help protect yourself from non-consensual deepfakes:
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Anthropic has been ordered by the US government to cut off its newest Claude Fable 5 and Mythos 5 models for fear of abuse by adversaries.
Reuters reports that Anthropic said it will “abruptly disable” its most advanced AI models for all users after the US government ordered it to suspend access to the models for foreign nationals, citing national security concerns.
Officials reportedly believe a jailbreak could turn Fable 5 and Mythos 5 into vulnerability-discovery tools for adversaries, so Anthropic says it is disabling them worldwide rather than try to nationality‑filter access, since it is virtually impossible to verify every user’s nationality.
“The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or “jailbreaking” Fable 5. We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”
Mythos 5 is the non-public full version, which is currently used only by government agencies and selected corporate partners to harden their systems. Fable 5 is a Mythos-class model that should supposedly be safe for general use.
It makes sense to me that if Fable 5 is easy to jailbreak, that it should fall under the same restrictions as Mythos 5. However, Anthropic maintains that it has built-in safeguards that mean queries on some topics will instead receive a response from the next-most-capable model, Claude Opus 4.8.
The relationship between the US government and Anthropic had shown signs of easing in parts of the US government after tensions over military use, surveillance, and autonomous weapons. In March, defense Secretary Pete Hegseth designated the San Francisco-based company a “supply-chain risk to national security.”
To understand the nature of the argument, it is necessary to understand that Mythos 5 is described in multiple reports as particularly effective at identifying software vulnerabilities, including long‑standing bugs in complex, legacy systems such as those in banking and other critical infrastructure. Many view this as dual‑use: great for defense hardening, but catastrophic in the wrong hands.
In recent updates from major software vendors like Microsoft and Google, we’ve seen a growth in numbers of patched vulnerabilities after the vendors began using AI-guided search for new vulnerabilities in their own software. We also know that Mozilla found over 270 Firefox vulnerabilities with the aid of Anthropic’s new Claude Mythos model.
What this means
In the wrong hands these vulnerabilities could definitely do a lot of harm. So, it looks like it will take some time before regular consumers and developers will gain access to Fable 5 and Mythos 5 entirely. However, existing Anthropic models (older Claude variants) remain available.
For home users who were simply chatting with Claude or using it to help with basic scripting, the change will mostly show up as “this specific version is unavailable” rather than a broader AI blackout.
Removing a high‑end vulnerability‑finding model from broad circulation increases the effort required for less‑resourced cybercriminals to automate discovery of complex bugs in consumer‑facing software and services only by so much. There are other models available on the black market that might be just as effective. And for most cybercriminals, turning a vulnerability into a method they can utilize in an exploit is much more relevant.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
The UK’s Metropolitan Police has reached an agreement with Apple designed to make stolen iPhones harder to resell and less attractive to thieves. The approach combines stronger technical protections with direct data sharing between Apple and law enforcement.
As part of this effort, Apple has strengthened its Stolen Device Protection feature in iOS 26.4, making it harder for thieves to change security settings, factory‑reset a stolen iPhone, or set it up as new.
Previously, thieves with your passcode (or who snatched your iPhone while it was still unlocked) could factory reset it, wiping your account and making the device look new for resale. Stolen Device Protection blocks this, requiring biometric authentication, not just a passcode, to make critical changes.
The Met has started sharing identifiers for reported stolen devices with Apple. In return, Apple can provide data on whether those devices later attempt to reconnect to a network or attempt to be reactivated.
Police say this gives them a better picture of what happens to stolen devices: Are they being switched back on locally? Shipped abroad? Broken down for parts?
Met Police Commissioner Sir Mark Rowley said Apple believes it has “cracked” the engineering problem. Phone thefts in London have since fallen 18% year-on-year, with Westminster (the capital’s worst-affected borough) down 45.8%.
Given the early signs of success, the Met is pressing for broader changes.
The Commissioner has written to the Home Secretary asking for laws that would require all phone manufacturers and mobile operators to share information about stolen devices and implement measures that make stolen handsets unusable.
As part of that effort, the Met has explicitly said that Samsung and Google are also improving device security to address phone theft, suggesting this will become an industry‑wide expectation rather than an Apple‑only initiative.
Possible pitfalls
From a privacy perspective, it’s important to keep an eye on what data is shared, and who can see it.
Reports so far suggest that Apple and the Met are exchanging device identifiers and high‑level information about whether a stolen phone has attempted to reconnect or be reactivated. In theory, that sounds narrow and purpose‑bound: device X was reported stolen, later tried to come online in country Y, at time Z. There is no public indication that content, contacts, or location histories are being handed over wholesale.
There’s also a risk of someone reporting your phone as stolen. If a device is incorrectly marked as stolen, the protections designed to stop thieves could lock an innocent user out, turning a valuable asset into a brick. Without transparent appeal mechanisms, this is a notable concern.
The measures could also create challenges for recycling initiatives, legitimate repair shops, and refurbishers. They may face additional hurdles when diagnosing, restoring, or reselling devices if anti-theft protections become more restrictive.
Stay safe
Make sure your phone is protected with a strong passcode and biometric security, such as Face ID or a fingerprint.
Enable Apple’s Find My feature, or the Android equivalent, and make sure it is linked to a strong account password.
Keep lock screen notifications to a minimum so thieves cannot quickly access your sensitive information if they get hold of your device.
When buying a used phone, use a reputable seller and make sure the device has been reset by its owner. Complete the initial setup process with the seller present to confirm the phone isn’t locked to someone else’s account or reported stolen.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
A German court has ruled that Google can be held directly responsible for defamatory claims produced by its AI Overviews. Basically, the court said that telling people they should double-check AI search results is not enough to deny liability for what those results say.
This kind of warning may not be enough
The Munich Regional Court issued a preliminary injunction against Google after two German publishers discovered that AI Overviews falsely portrayed them as involved in scams and “dubious business practices,” even though the linked articles did not support those claims.
The decision could echo far beyond Germany. The court effectively found that Google can be held directly liable for defamatory content generated by its AI Overviews. The court cut through the usual “it’s just AI, don’t trust it too much” messaging and made one thing clear: If you build a system that confidently smears people or companies, you may be responsible for what it says, even when the content was “hallucinated” by AI.
AI Overviews are not harmless suggestions. In this case, the court treated them as Google’s own statements, with all the legal baggage that comes with that.
When the publishers sent a cease-and-desist letter, Google did not promptly stop similar claims from appearing. That detail turned out to be crucial in the ruling. The court noted that, unlike traditional search results, which simply list third-party content, AI Overviews generate “independent, new, and substantive statements.”
And since only Google can adjust the models and the logic that create those statements, only Google can reliably stop the system from repeating the same or similar falsehoods. In this case, the court found that Google can be held responsible.
For years, search engines have enjoyed broad protection under the logic that some harmful content is unavoidable when indexing the open web at scale. Showing a search result does not mean endorsing it. The search engine is a channel, not a publisher.
That changes when an AI Overview summarizes, rephrases, and sometimes invents facts, then publishes them at the top of search results.
AI Overviews are an extra feature, not essential to how search works. However, the appeal of AI summaries is their fast, confident answers, which is exactly what makes them dangerous. When those answers are wrong, many users may not click through to check the sources.
The ruling is preliminary and may be appealed, but the signal is clear: AI search output is not magic dust that makes liability disappear. Disclaimers about possible mistakes may not be enough when a system is deployed at scale, creates new content, and is designed to be trusted.
By the numbers
Google AI Overviews are powered by Gemini, Google’s AI model. Like other AI systems, it can produce confident answers that are wrong or poorly supported.
Pew Research studied browsing data from hundreds of users and found that when an AI Overview appears on a Google results page, clicks to traditional search results drop from around 15% to about 8%.
A New York Times analysis of AI Overviews found that they were accurate roughly nine out of ten times. But with Google processing more than five trillion searches a year, even a small error rate could mean millions of wrong answers.
And those mistakes are not always due to bad sources. Even when Google links to a page with the correct information, its AI can still produce a false answer. More than half of the accurate responses were classified as “ungrounded,” meaning the websites cited by the AI Overview did not fully support the information it provided.
The main lesson here is to double-check AI search responses. Don’t trust an answer just because it’s presented confidently and includes links.
Users can be steered toward real threats, or away from effective protections, simply because an AI system sounded convincing on a search page.
If you find false or defamatory AI summaries about yourself or your company, document them thoroughly. Take screenshots, save the search terms, file correction requests, and keep records of the platform’s response. Or the lack of one.
Scammers don’t need to hack you. They just need you to click once.
A data breach notice has been filed with the Maine Attorney General, saying more than 2.4 million users of VRChat have had their data breached.
The question is, was it VRChat who filed the breach notice, or did someone pretending to represent the company post it instead? On Reddit, a VRChat representative posted:
VRChat did not submit this Notice of Data Incident, and we have no reason to believe that our systems have been compromised. We are in the process of contacting the Maine Attorney General’s office to have this removed.
The breach notice states that VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access supposedly happened in VRChat’s cloud environment and involved user profile and login-related data.
According to the notice, the information exposed varied by account, but may have included:
VRChat username
Email address associated with the VRChat account
VRChat+ subscription status
Login history, including device information, hardware identifiers, and IP addresses
VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.
The notice states that no passwords or payment card data was exposed. However, even without passwords or card details, there are still potential risks when it comes to other breached data.
Phishing
Cybercriminals may use usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in‑platform messages claiming to be from “Support,” with fake security alerts or prompts to “confirm your age” via a malicious link.
Knowledge of subscription status could make scams more convincing. A scammer could send tailored lures like “billing issue with your subscription” or refund scams, which tend to have higher click-through rates among paying users.
Account takeover
Cybercriminals may combine usernames and email addresses from one breach with passwords stolen in other data breaches and try them against accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.
Valuable accounts may then be sold to other players or used for scams.
Identity correlation
Steam and Meta user IDs linked to breached accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.
IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.
How to stay safe
Whether or not the breach turns out to be an actual breach, here are some steps you can take to protect yourself:
First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.
Update June 11, 2026: Article was updated to reflect VRChat’s post on Reddit.
Before publishing our original article, we tried to contact VRChat on two separate email addresses but received no meaningful response.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Short-form video platforms like TikTok and Instagram Reels have become the latest way cybercriminals spread malware.
We’ve already seen attackers move away from traditional phishing emails and toward tactics that trick people into installing malware themselves. Now they’re being lured with slick social media videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office, but instead leave people with infostealers on their Windows devices.
Researchers at ReversingLabs uncovered two active campaigns that use short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites. Similar campaigns have been reported by other researchers and national cybersecurity agencies, suggesting a growing trend: Cybercriminals are learning how to use social media algorithms just as effectively as marketers.
In true social media fashion, the videos on platforms like TikTok and Instagram Reels claim to solve a problem you didn’t know you had. The catch is that following the instructions delivers malware to your device.
How the scam works
The first campaign looks deceptively professional.
Accounts with names like “windows.tips” or “windows.insights” use Windows-style branding and post polished tutorial videos that resemble genuine tech support content. The videos are tagged with Windows and Office-related keywords so they appear alongside legitimate troubleshooting and tips content.
The videos promise to unlock Spotify Premium, Microsoft Office, or Windows for free. Viewers are then guided through step-by-step instructions that include opening Powershell, a legitimate Windows admin tool, and pasting in commands. Those commands download and run malware, much like the ClickFix scams we’ve covered before.
The malware was identified as Vidar, an infostealer designed to steal sensitive informtion from infected devices. Vidar commonly targets:
Saved browser passwords
Autofill data
Browser cookies
Cryptocurrency wallets
Two-factor authentication (2FA) data
TOR browser data
The stolen information is then sent back to servers controlled by the attackers.
How to stay safe
Research into similar TikTok-based attacks shows these scripts commonly add exclusions to Windows Defender, making it harder for security software to detect future malicious activity.
Fortunately, there are a few simple ways to protect yourself:
Only download software from official vendor websites.
Be skeptical of “free”, cracked, or unofficial versions of paid software.
Don’t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy and paste code. Many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.
Check that downloaded files match what you expected to download.
Verify a file’s publisher and digital signature before you run it. On Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag.
Use a real-time, up-to-date anti-malware solution to block malware like infostealers before it runs.
Pro tip: If you’re unsure whether a video, message, or website is legitimate, you can ask Malwarebytes Scam Guard about it. It can help identify suspicious content and advise you on what to do next.
This month’s Patch Tuesday fixes 206 security flaws in Microsoft software, making it the biggest Patch Tuesday release ever.
The update includes 32 critical vulnerabilities, as well as three publicly disclosed zero-days. Microsoft classifies these as zero-days because information about the vulnerabilities became public before patches were available. None are known to have been actively exploited by attackers.
The huge number of fixed vulnerabilities makes this the largest Patch Tuesday since Microsoft launched the program in October 2003. The company introduced the monthly update schedule after the Blaster worm caused disruption in the early days of Windows.
How to apply patches and check if you’re protected
These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:
1. Open Settings
Click the Start button (the Windows logo at the bottom left of your screen).
Click on Settings (it looks like a little gear).
2. Go to Windows Update
In the Settings window, select Windows Update (usually at the bottom of the menu on the left).
3. Check for updates
Click the button that says Check for updates.
Windows will search for the latest Patch Tuesday updates.
If you have selected to get the latest updates as soon as they’re available, you may see this under More options. In which case you may see a Restart required message. Restart your system and the update will complete.
If not, continue with the steps below.
4. Download and install
If updates are found, they’ll start downloading automatically. Once complete, you’ll see a button that says Install or Restart now.
Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.
5. Double-check you’re up to date
After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!
Technical details
One publicly disclosed vulnerability is important to mention. This flaw in Windows BitLocker is tracked as CVE-2026-50507 (CVSS score: 6.8 out of 10) and its description states:
“a protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.”
BitLocker is a built-in Windows security feature that encrypts your entire hard drive, securing your data from unauthorized access if your device is lost or stolen. However, this vulnerability could allow an attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data.
Another is CVE-2026-49160 (CVSS score: 7.5 out of 10) in HTTP.sys. This vulnerability can be exploited to launch a remote denial-of-service attack against major web servers using a technique called HTTP/2 Bomb.
The third to discuss is CVE-2026-45586 (CVSS score: 7.8 out of 10) in the Windows Collaborative Translation Framework (CTFMON). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. These elevation of privilege (EoP) vulnerabilities are especially valuable to attackers because they can be combined with other flaws to gain full control of a compromised system.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.
WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.
Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.
Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.
Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.
These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.
Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.
From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.
We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.
As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.
Don’t get recognized
If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.
A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:
Remove yourself from reverse face search engines
The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:
Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.
The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.
Scrub your data
If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.
Those losses stem from 22,364 AI-related complaints. And these figures represent only the reported losses, which may well be the proverbial tip of the iceberg.
The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AI‑generated scripts. These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation.
Michael Machtinger, deputy assistant director of the FBI Cyber Division, told the Wall Street Journal:
“AI-created fraudulent communications can look very official and very legitimate to even the most trained individuals.”
The FBI and financial institutions recommend verifying identities via official contact channels. One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos, and AI‑generated audio and video of public officials.
This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts, and create highly believable deepfake personas at scale.
AI is also increasingly used in business email compromise (BEC), romance scams, and impersonation fraud. In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone.
For a broader look at why AI is simultaneously fueling scams like these and becoming indispensable to defending against them, see my article AI: Threat, tool, or both?
It explains how both defenders and criminals use AI to find vulnerabilities, and why security vendors increasingly rely on AI to process vast amounts of telemetry, detect anomalies, and keep pace with threats that “no longer move at human speed.”
How to stay safe
Consumer protection agencies have documented a growing list of the ways scammers are using AI to try to rip people off. The main problem is that we can no longer take it at face value that the person we’re talking to is who they claim to be.
Government agencies and financial institutions recommend that you:
Be skeptical of urgent payment demands, especially those involving cryptocurrency or gift cards
Limit the amount of voice and video content you share publicly, as it can be reused by scammers
Report incidents quickly to your bank(s) and IC3.gov
Pro tip: Malwarebytes Scam Guard can help you determine whether a message is a scam and guide you through the next steps.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed.
The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.
The strain is being called “RenEngine loader” and sometimes referred to as Ren’Py because parts of the malicious code are embedded in a legitimate Ren’Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.
Ren’Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case is not Ren’Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.
In practice, the primary infection vector is software piracy. Victims download cracked games or repacked installers from unofficial sites, then run what looks like a normal game launcher or setup file. In reality, they’re infecting their computer with a malware loader.
At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.
But we’ve also seen other payloads being dropped, including Rhadamanthys stealer, Async Remote Access Trojan (RAT), and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine. That can mean account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data.
Worst of all, a user may not realize they are infected until usernames and passwords have been stolen or the machine starts behaving strangely.
How to stay safe
The most important lesson here is that “free” cracked software is often a delivery mechanism for malware, not a bargain. Once a loader like this is on the machine, the real goal is usually to steal credentials or install a secondary payload that is more persistent and more damaging.
Some other general advice to stay safe:
Don’t download installers from unofficial sources.
Keep your software up to date, especially Microsoft patches and other security-related programs.
If you think your computer is infected and want to make sure, follow the instructions posted here. The amazing volunteers on our forums will help you through the process of cleaning your machine.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.
Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.
How the trick worked
The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.
Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.
To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.
In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.
Meta hoisted on its own AI petard
Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.
The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.
Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.
What actually worked
Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.
Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.
What can you do to protect yourself?
A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.
That doesn’t make MFA perfect, but it adds an important layer of protection.
So the practical advice is unglamorous:
Open Instagram’s Settings
Navigate to your Meta Accounts Center
Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.
Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.
Expect more snafus from “helpful” bots
This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.
The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.
Scammers don’t need to hack you. They just need you to click once.
A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives.
The attack is initiated by a text message pretending to come from Signal Support.
“Action Required: Data Recovery Needed Your Signal account data (message and media) Is at risk of permanent loss due to a sync issue. To avoid losing your messages and media: 1. Go to Settings -> Backups -> Configure -> Enable backups -> View Recovery Key. 2. Copy the recovery key to your clipboard. 3. Paste the key into this chat. This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.”
There are a few red flags in this message:
The “Name not verified” label under the sender
Repeated threats of losing all your data
Pasting the key into the chat. Signal Support would never ask for your recovery key
The attack exploits Signal’s Secure Backups feature, which allows users to store encrypted archives of their conversations on Signal’s servers. These backups are protected by a 64-character recovery key.
That key should never leave the user’s device and is never shared with Signal’s servers. If hackers obtain this key and gain control of a victim’s account, they can download and decrypt the entire message history.
For an attacker, that’s even better than hijacking an account, which would only give them access to future messages.
Signal explicitly states that it will never reach out to users first and will never request registration codes, PINs, or recovery keys.
Treat unsolicited messages from “Support” as suspicious by default. Legitimate support for apps like Signal and WhatsApp do not ask you, in a chat message, to send back verification codes, PINs, or passwords. If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
Never share any secret codes, multi-factor authentication keys, or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Consider anyone asking for them to be a scammer.
Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a code. This reduces the risk of social engineering or shoulder‑surfing.
Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gains access to a chat later, or obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.
Use Malwarebytes Scam Guard on your device or online to check messages. Malwarebytes Scam Guard identified this message as a phishing attempt and provided further information about how to proceed.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Carnival Corporation, parent of Carnival Cruise Line, is sending out fresh “Notice of Cybersecurity Event” letters dated May 27, 2026. If you feel like you’ve read that sentence before, you’re not imagining things. Over the last decade, the world’s largest cruise operator has accumulated a worrying track record of breaches, ransomware incidents, and regulatory penalties, with this 2026 incident adding yet another entry to an already lengthy cybersecurity history.
There are several data breaches involving Carnival Corporation or one of its subsidiaries in our database.
Between 2019 and 2021 alone, Carnival reported four separate cybersecurity events to the New York Department of Financial Services. These included two ransomware attacks and a phishing incident in which attackers deployed malware, accessed and encrypted internal systems, and stole personal customer and employee information.
In this latest case, an attacker used social engineering to trick a Carnival employee into granting access to part of the company’s IT systems on April 14, 2026. By April 22, they used a compromised account to access a “limited portion” of Carnival’s IT systems, where they were able to copy personal data before being blocked.
According to the data breach notice filed in Maine, a total of 5,995,277 people were affected. Carnival determined that the intruder had illegally copied files containing personal information and is now writing to affected individuals to tell them that “data elements” relating to them were obtained.
Researchers cited by Gblock say the stolen data appears to include:
Full names
Email addresses
Dates of birth
Genders
Mariner Society membership status and tier
Internal customer identifiers
The template letter does not list specific data fields. Instead, it uses a placeholder:
“We have determined that your <<data elements>> were obtained.”
This strongly suggests that Carnival is populating each letter with data categories relevant to that particular individual, a common pattern in large breaches where people may have provided different information at different times.
Furthermore, the letters contain the usual content about the speed with which the company acted, involving third‑party experts, and frame the affected systems as a limited subset of the environment. For recipients, the important fact is not how limited the breach was from the company’s point of view, but whether the exposed information could be used for identity theft, fraud, or highly convincing phishing attacks.
Breaches happen every day. Don’t be the last to know.
We do know from past Carnival incidents that exposed data has included names, addresses, dates of birth, passport numbers, health information, and payment details. In previous breaches affecting cruise lines, compromised data has ranged from basic contact details to Social Security numbers and credit card information. Carnival has not publicly disclosed the full categories of data involved in the 2026 incident, but given that this 2026 event again involves “personal information” copied from internal systems, it is reasonable to treat it as a serious privacy incident, even if the exact mix of data varies per person.
The attack was claimed by extortion group ShinyHunters, which is known to steal data and then ask for a ransom. If the victim does not agree to the terms, the data will be published and/or sold to the highest bidder.
ShinyHunters offers Carnival data for download
From a cybercriminal’s perspective, cruise industry data is highly prized. Cruise passengers are often relatively wealthy, and passenger records can combine identity data (names, addresses, dates of birth, passport numbers), contact data (emails, phone numbers), and potentially payment data (card numbers and sometimes bank details), making them valuable for identity theft, targeted phishing, and fraud.
What to do if you’re affected
To mitigate the fallout, Carnival is offering a complimentary 24‑month TransUnion credit‑monitoring package, delivered via the MyTrueIdentity platform and supported by Cyberscout for fraud assistance.
A Secure Boot certificate refresh is rolling out across supported Windows devices through Windows Update. In June 2026, the Secure Boot certificates that have shipped inside Windows since 2011 begin to expire, and Microsoft is replacing them with new 2023-dated certificates.
The good news: If you keep your PC updated, you probably won’t need to do anything. The bad news: Some older devices may not transition cleanly. Your PC won’t suddenly stop working, but over time it could miss important boot-level security protections without you realizing it.
Here’s what’s going on, why it matters, and how to check that your machine is on the right side of the deadline.
What is Secure Boot, and what’s expiring?
Secure Boot is a UEFI firmware feature built into virtually every PC sold since around 2012. It runs before Windows even starts loading, and its job is to verify that the boot loader and early boot components have been signed by a trusted party. If something tries to insert itself into the boot chain that isn’t on the trust list—a bootkit, for example—Secure Boot refuses to let it run.
The “trusted party” part is the crucial bit. Trust is established through cryptographic certificates baked into your motherboard firmware. The current certificates were issued in 2011 and are now reaching expiration. Three specific certificates are involved:
Microsoft Corporation KEK CA 2011: expires June 24, 2026
Microsoft UEFI CA 2011: expires June 27, 2026
Microsoft Windows Production PCA 2011: expires October 19, 2026
Microsoft is replacing them with a 2023-dated set, including Windows UEFI CA 2023 and Microsoft Corporation KEK 2K CA 2023. According to Microsoft engineers speaking during a March 2026 AMA session, the new certificates are valid until 2038, and a separate post-quantum cryptography transition is planned for around 2030 for future hardware.
“Will my computer stop working?”
No. This is the single most important thing to understand, because the rumor mill has been louder than the facts.
If the deadline arrives and your PC is still running on the 2011 certificates, Windows will still boot, Windows Update will still work, and your PC will continue functioning normally.
What changes is that, in Microsoft’s own words, the device “will no longer be able to receive new security protections” for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities.
In plain English: Your PC becomes harder to protect over time. It’s protected against today’s known boot threats, but not necessarily against the ones that will be discovered next month or next year.
That’s a problem because bootkits operate underneath Windows and antivirus software. They run before anything else and can disable the security tools that would normally catch them.
The BlackLotus problem
If you want a concrete example of why boot-level security matters, look at BlackLotus.
BlackLotus is a UEFI bootkit that emerged on hacking forums in 2022 and was confirmed in the wild by researchers in early 2023. It exploited CVE-2022-21894, nicknamed “Baton Drop,” to bypass Secure Boot on fully patched Windows systems. Once installed, it could disable BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender before Windows fully loaded.
Microsoft addressed the underlying flaw in CVE-2023-24932, but fixing vulnerable boot managers safely is complicated. Revoking the wrong boot components can leave systems unbootable, which is why Microsoft has rolled out protections gradually over several years.
The 2026 certificate rollover is a planned lifecycle event (the 2011 certificates were always going to expire), but it also enables the broader Secure Boot hardening Microsoft has been doing in response to vulnerable boot managers and attacks such as BlackLotus.
With the new trust anchors in place, Microsoft can continue rolling out newer 2023-signed boot components and safely revoke vulnerable ones as new threats emerge. Devices that don’t make the transition may eventually miss those future protections.
How the rollout works
Microsoft is using a staged rollout designed to avoid breaking systems.
A scheduled Windows task runs roughly every 12 hours and applies the update in stages:
Add the new Windows UEFI CA 2023 to the firmware’s signature database.
If the old 2011 third-party certificate is still present, add the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 alongside it.
Add the new Microsoft Corporation KEK 2K CA 2023 key.
Update the Windows Boot Manager to one signed by the new certificate. This step is deferred until the next natural reboot.
Microsoft’s IT pro guidance estimates the full process takes roughly 48 hours and one or more restarts to complete. Each step must succeed before the next one runs, so a device can sit partway through the sequence for a while if (for example) it’s waiting on a firmware update or a scheduled reboot.
For most home users, this happens silently in the background through normal cumulative updates.
Starting with the April 2026 Windows update, the Windows Security app includes updated Secure Boot status information under Device security that shows whether the new certificates have been applied successfully.
What could go wrong
Most systems will transition without problems, but there are some known trouble spots:
Older PCs with outdated firmware. Some older UEFI firmware implementations don’t properly support the new certificates. These systems may require a BIOS or firmware update from the manufacturer before the transition can complete.
PCs that bypassed Windows 11 requirements. If Secure Boot was disabled to install Windows 11 using unofficial workarounds, the new certificates cannot be applied correctly.
Legacy BIOS / CSM systems. Devices running Legacy BIOS (or UEFI with Compatibility Support Module enabled) aren’t using Secure Boot at all, so they’re outside the scope of this update entirely.
Custom firmware and weird configurations. Some custom or unusual firmware configurations may trigger a BitLocker recovery prompt after the Secure Boot variables change. Microsoft has been careful to note that BitLocker itself is not being disabled, but users should have their recovery keys handy just in case.
Windows Latest reported seeing update failures on thousands of PCs with outdated firmware during testing. Microsoft’s own guidance more broadly warns that firmware, platform, and OEM limitations can block the transition. In many cases, Windows Security will flag affected systems with yellow or red status warnings.
What home users should do
For most people, the advice is straightforward:
Keep Windows fully up to date. Microsoft is rolling the new certificates out through normal Windows updates, and most home users won’t need to do anything beyond installing monthly updates.
Check your Secure Boot status (the text, not just the color). Open Windows Security > Device security > Secure Boot. A green badge with the text “Secure Boot is on, preventing malicious software from loading when your device starts up.” is the all-clear. Microsoft warns that a green checkmark alone doesn’t confirm the new certificates have been applied.
If your device is older, check for a BIOS/firmware update from your manufacturer. Some systems need them before the Secure Boot update can complete properly. This is especially important for PCs built before 2024.
Don’t disable Secure Boot to “fix” something. Disabling Secure Boot is exactly the wrong response—it removes the protection entirely rather than updating it. Some game anti-cheat systems and older apps ask users to do this.
Don’t panic about the new SecureBoot folder. Windows 11’s May 2026 cumulative update (KB5089549) creates a folder at C:\Windows\SecureBoot containing example PowerShell scripts intended for IT administrators. It’s not malware, it’s expected, and you don’t need to delete it.
Use up-to-date, real-time anti-malware protection that can detect threats at the OS level even if something does slip past Secure Boot.
What IT teams should do
If you manage a fleet, Microsoft has published extensive guidance and the work is more involved. The short version:
Inventory your devices now. Pull the manufacturer, model, BIOS version and date, baseboard product, and Secure Boot status across the fleet. Microsoft provides a PowerShell sample script at aka.ms/GetSecureBoot that surfaces the relevant registry keys and event IDs.
Watch Event IDs 1801 and 1808. Event ID 1808 confirms the new certificates are in place. Event ID 1801 means the device has not completed the update.
Test before broad rollout. Microsoft recommends testing at least four devices per unique manufacturer/model/firmware combination. Some systems may need an OEM firmware update before they can accept the new certificates.
Choose one deployment method per device. Use registry keys, Group Policy, WinCS command-line tools, or Intune/ConfigMgr scripts, but don’t mix methods on the same machine.
Pay attention to PXE imaging and Hyper-V. SCCM/MECM PXE servers may need a re-signed boot.wim, and Hyper-V hosts may need updating before new VMs are created with the 2023 KEK in the firmware template.
Document devices that can’t be updated. Older hardware without OEM firmware support may need to be replaced before the deadline or formally accepted as an exception with compensating controls. These devices will keep working, but they may miss future boot-level protections.
The bottom line
This is one of those security events that won’t generate a dramatic incident on June 24, 2026. Nothing visible will break that day.
The risk is what happens in the months and years after. Devices that fail to transition to the new trust chain may slowly fall behind on future boot-level protections as Microsoft continues responding to threats like BlackLotus and other bootkits.
For most home users, Windows Update will handle the transition automatically. Your main job is to keep your system updated and verify Secure Boot status before the deadlines arrive.
If your hardware is older, now is a good time to check whether your manufacturer still provides firmware updates—and whether your PC is ready for the next decade of Secure Boot protections.
“One of the best cybersecurity suites on the planet.”