Reading view

Feds snooze as US datacenter law set to lapse with no replacement in site

US legislation covering federal datacenters is set to expire in September and it appears that the Trump administration is simply going to allow it to lapse without replacement. The Federal Data Center Enhancement Act (FDCEA) of 2023 covers certain standards that are to be adhered to for facilities that are wholly or partially owned, operated, or maintained by a federal agency. It includes requirements relating to availability and uptime of the facility; the use of sustainable energy sources; protection against power failure; protections against physical intrusion and natural disasters; plus IT security protections. We understand that the legislation will sunset on September 30, 2026, and according to Wired, neither the US Congress nor the Trump administration appears to be making any move to extend the act, or put alternate legislation in place. The danger is that if the FDCEA is not renewed or superseded by similar legislation, then federal agencies across the US may cease to follow the requirements and simply act as they see fit when procuring new datacenter infrastructure. We asked the White House and Congress for comment. According to implementation guidance issued by the Office of Management and Budget (OMB) under the previous administration, agency datacenters “must provide secure and highly available computing infrastructure to enable reliable access to Federal information and information systems.” It notes that the "needs of the federal government with respect to data access and data processing systems have evolved since 2014,” when the Federal Data Center Consolidation Initiative (FDCCI) was established, and hence the latter was not renewed but replaced by the FDCEA. The OMB states that effective operation of datacenters requires regular monitoring, and optimization of resources by operators, and directs agencies to incorporate automated tools into the management of all new facilities, including tools that monitor metrics such as electrical consumption. It also states that the “cost, scarcity, and environmental impact of energy and water consumption necessitates that agencies evaluate datacenters against resource consumption metrics and best practices when making their decisions” regarding new datacenter builds. Perhaps most importantly, it requires that federal facilities “must be able to meet the reliability and resiliency needs of their hosted information and information systems through implementation of the appropriate information security and physical security protections.” It is widely known that the Trump administration does not look kindly on regulations, especially those relating to environmental protection. Instead, policy has focused on fast-tracking the federal permitting process for datacenters, particularly those dedicated to training and developing AI models. A recent report from Politico stated that the Trump administration was not inclined to set nationwide environmental requirements or recommendations for the datacenter industry. Instead, Environmental Protection Agency (EPA) Administrator Lee Zeldin said that while there are technologies and practices that reduce air pollution and water usage, individual states and communities know what works best for them. At the same time, opposition to datacenter construction is growing across the US, precisely because of public fears over factors such as air pollution, water usage, and the prospect of spiking energy bills. A recent survey found more than 70 percent of respondents said that they would be against the construction of an AI datacenter in their neighborhood. ®

  •  

Securing Canada’s Digital Future: Why PBMM Matters Beyond Government

Palo Alto Networks is pleased to announce the successful completion of a new Cloud Medium security assessment conducted by the Canadian Centre for Cyber Security (Cyber Centre), significantly expanding the number of Palo Alto Networks cloud services assessed for Protected B / Medium Integrity / Medium Availability (PBMM) environments. This assessment includes a broad range of capabilities across our Cortex®, Cortex Cloud and Strata™ platforms. By achieving this milestone, Palo Alto Networks enables  organizations handling Canada’s most sensitive data to leverage a unified, AI-driven security architecture without compromising on compliance or operational resilience.

For years, many organizations viewed PBMM as something that only mattered to the Canadian federal government. It was often seen as a procurement requirement—a framework tied to public sector cloud adoption, relevant for departments handling Protected B information, but not necessarily for the private sector.

That assumption is changing.

The reality is that the challenges driving PBMM are no longer unique to government environments. Banks, energy providers, transportation networks, healthcare organizations, crown corporations, and other critical infrastructure operators are now facing many of the same pressures:

  • Expanding attack surfaces across hybrid and multi-cloud environments.
  • Increased regulatory scrutiny and privacy obligations.
  • Greater operational dependence on cloud and AI technologies.
  • Increased reliance on third-party providers and software supply chains.
  • The need to maintain operational resilience during cyber incidents and disruptions.
  • A growing expectation that organizations can demonstrate—not just claim—security maturity.

That is why PBMM matters far beyond Ottawa. At its core, PBMM represents a rigorous approach to validating whether enterprise-grade security platforms can operate securely in environments where trust, resilience, and operational continuity are critical.

Increasingly, that level of assurance matters to everyone.

What PBMM Really Represents

PBMM, a rigorous cybersecurity and data classification standard used by the  Canadian Centre for Cyber Security, stands for Protected B / Medium Integrity / Medium Availability. While often associated with federal cloud security requirements, PBMM is not simply a checkbox exercise. It is a comprehensive assessment framework aligned to Canadian cybersecurity guidance and operational security expectations.

What makes PBMM important is that it evaluates whether platforms and services can securely support sensitive and mission-critical workloads in real-world environments.

Palo Alto Networks meeting these rigorous PBMM requirements through three core pillars:

  • Strata (Network Security): Secures data resiliency and zero trust connectivity, driving robust perimeter and cloud edge protection.
  • Cortex Cloud (Cloud Security): Provides complete visibility, security governance, and data protection across complex cloud-native architectures.
  • Cortex (Security Operations): Powers the agentic SOC, combining unified data, AI, and automation to detect and respond to threats in real time.

These are not theoretical requirements. They are practical operational expectations designed for environments where downtime, visibility gaps, or security failures can have significant consequences.

Organizations today are no longer evaluating cybersecurity solely based on features. They are evaluating whether platforms can be trusted to support critical operations at scale.

Why Security Expectations Are Changing

The cybersecurity landscape has evolved dramatically. Infrastructure is distributed across cloud providers, SaaS applications, remote users, third-party integrations, operational technology (OT), AI platforms, and interconnected supply chains. At the same time, attacks have become faster, more automated, and more disruptive.

In this environment, security can no longer be treated as a compliance exercise. Organizations need confidence that their platforms, operational processes, and security controls can function effectively under pressure.

This is why Palo Alto Networks has undertaken independent PBMM assessments across its portfolio, providing customers with greater assurance and trust. By meeting these rigorous standards into Strata and Cortex, we enable non-government entities—like financial institutions and utility providers—to deploy the same defensive rigor used to protect national security systems.

Transforming Critical Infrastructure with a Unified Platform

To effectively manage risk, critical infrastructure operators require a platform approach that helps eliminate security silos, reduce manual intervention, and accelerate threat mitigation.

Key Portfolio Advantages for Critical Infrastructure & Enterprise:

  • AI-Driven Threat Detection & Response: Cortex XSIAM® and Cortex XDR® unify telemetry across endpoints, network, and cloud to deliver unparalleled visibility and automated threat stitching, neutralizing advanced cyberthreats before they disrupt operations.
  • Comprehensive Cloud Native Protection: Cortex Cloud secures applications from code to cloud to SOC, offering posture security, data protection, and continuous compliance monitoring tailored to stringent Canadian data standards.
  • Zero Trust Network Security: Strata enables secure access and consistent policy enforcement across campus, branch, and data center environments, protecting critical OT and IT systems from lateral threat movement.
  • Elite Incident Response: Backed by Unit 42®, organizations gain access to threat intelligence and rapid incident response services to augment their teams and build long-term cyber resilience.

Operational Resilience Is Becoming a Strategic Requirement

One of the most significant shifts occurring across industries today is the growing focus on operational resilience. Organizations are increasingly asking questions that extend beyond traditional cybersecurity controls:

  • Can we maintain critical services during a cyber attack?
  • Do we have visibility across our cloud environments and supply chain dependencies?
  • Can we rapidly detect, respond to, and recover from disruptions?
  • Are our governance processes keeping pace with cloud adoption and AI innovation?

As organizations adopt cloud-native architectures, AI-driven technologies, and interconnected digital ecosystems, resilience has become a board-level concern. The ability to prevent incidents remains important, but organizations are equally focused on their ability to withstand, respond to, and recover from them.

This is where frameworks like PBMM provide value. Beyond evaluating security controls, PBMM assesses the governance, operational processes, monitoring capabilities, and risk management practices that help organizations operate securely.

For critical infrastructure operators, resilience is no longer simply an IT objective—it is a business imperative. Increasingly, the organizations that earn trust are those that can demonstrate they are prepared to operate effectively when disruption occurs.

Final Thoughts: PBMM Reflects the Future of Trust

PBMM may have started solely as a government assessment framework, but its relevance now extends far beyond federal environments. It represents something universal: the ability to operate securely, reliably, and transparently in environments where trust matters most.

By expanding our PBMM-assessed offerings across Cortex and Strata, Palo Alto Networks underscores its commitment to securing Canada's digital future. We provide the validated foundation organizations need to innovate with confidence, protect sensitive data, and maintain operational continuity under any circumstance.

Read the Assessment Summary Report

To learn more about the Palo Alto Networks Cloud Medium security assessment, review the publicly available assessment summary report issued by the Canadian Centre for Cyber Security.

Ready to modernize your defenses with PBMM-assessed solutions? Schedule a demo with our team or contact Unit 42 to learn how we can help elevate your organization's resilience against emerging cyber threats.

The post Securing Canada’s Digital Future: Why PBMM Matters Beyond Government appeared first on Palo Alto Networks Blog.

  •  

UK digital ID gets brain trust to 'challenge' ministers on policy

The UK government has set up an advisory board for its digital ID project, intended "to challenge the government on emerging ideas or policy decisions to ensure the system works for everyone," says the Cabinet Office. The board includes David Rogers, an Internet of Things security expert and CEO of security consultancy Copper Horse. He is no stranger to government advisory panels, having previously sat on a group formed in 2020 to consider telecoms diversification. A year later, as chairman of the GSMA's fraud and security group, he backed the then-Conservative government's Product Security and Telecommunications Infrastructure Act 2022. Rogers has provided El Reg with comments over the years, and in 2014 discussed iPhone 6 biometric security, arguing that better usability would cut data loss overall because most people found PIN locks too cumbersome. Justine Roberts, founder and chief executive of UK parenting forum Mumsnet, is also on the board. The site experienced a data breach in 2019 due to a cloud migration affecting 46 user accounts, leading Roberts to apologize. More recently, some Mumsnet posters have been unimpressed by the government's digital ID plans, with one responding to the prime minister's October 2025 announcement with "Honestly, who is he kidding?" and "Desperate stuff to justify this authoritative bs." During the public consultation, some posters promoted the Sex Matters campaign to let Brits include their sex in their digital IDs. Another board member, Victor Dominello, has relevant experience as the minister who launched New South Wales' digital driver's license in 2019, saying it was more secure than the physical equivalent. In 2022, a researcher at security company Dvuln found numerous security flaws in the Service NSW app that hosts the license and other government services, although the state government said these did not pose a risk to customer information. Other members include John Fallon, former chief executive of Pearson and the lead non-executive board member of the Cabinet Office; Anne-Marie Imafidon, who runs social enterprise Stemettes, which encourages people to consider jobs in tech and science; and digital regulation lawyer Emma Wright. The board will meet quarterly for as long as the digital ID program lasts. The government is also setting up engagement exercises with the digital verification and financial services sectors. It is currently running a People's Panel with around 100 to 120 participants meeting in Birmingham and on Zoom to hear from experts and ministers before producing recommendations, in return for £550 in cash or vouchers. ®

  •  

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

  •  

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

  •  

ICE to keep an eye on your eyes under $25M biometric scanner deal

If you thought US Immigration and Customs Enforcement’s widespread use of face recognition apps was a privacy violation, you’re about to get eye-rate over a new $25 million contract. According to a largely unreported contract summary published last week by ICE parent agency the Department of Homeland Security, US immigration cops have doled out about $25.1 million to a company called Bi2 Technologies for 1,570 biometric recognition devices able to identify people through fingerprints, iris scans, and facial recognition. Additional procurement data indicates that the devices can be used in the field in both mobile and stationary configurations, and they provide ICE agents with access to Bi2’s Inmate Recognition and Identification System (IRIS), which matches biometrics to a database of more than five million booking, arrest, and incarceration records from 47 US states. The Bi2 system is also able to access driver’s license and vehicle plate info. The deal was made without seeking any competing bids, and ICE justified the sole-source acquisition by pointing not only to Bi2’s capabilities being “unmatched by any competitor,” but also to a contract from last year in which it paid the company $4.6 million for what now appears to have been a one-year trial run of its technology on a much smaller scale. Per the FY 2025 contract, which expires at the end of this coming September, ICE got similar access to the IRIS database and mobile/stationary biometric scanning technology as this year’s award, but only 200 devices were deployed across the US. With the addition of this contract, 1,770 of the devices could now be on American streets by the end of May 2027. While the Bi2 contracts have yet to cause a stir on the level of other ICE biometric surveillance technologies, the widespread deployment of eyeball scanners linked to law enforcement databases and other forms of government documentation could end up stirring up more controversy. Senate Democrats have been railing against ICE’s use of biometric identification technology like Mobile Fortify, an app reportedly used by DHS under the Trump administration’s immigration enforcement push to identify people suspected of immigration violations and, potentially, protesters. In a letter last September, senators demanded ICE immediately cease using Mobile Fortify over concerns that the app could be inaccurate, biased, and might have a chilling effect on the legal expression of protected civil rights in the US. Neither ICE nor DHS responded to questions for this story. ®

  •  

From WarGames to Cyberwar

How Nations Hack, Why Attribution Fails, and What AI Changes

Executive Summary:
Code War author Allie Mellen, argues that cyberwarfare must be understood through a human and geopolitical lens to close the knowledge gap between the security community and the public.

Disclaimer:
This post reflects the perspectives shared in the book Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, and does not represent the views of the publisher of this blog.


The summer of 1983, President Reagan watched WarGames at Camp David and couldn't get it out of his head. A week later, he walked into a White House meeting with cabinet members and Congress and launched into a detailed plot summary of a Matthew Broderick movie about a teenager who nearly hacks the world into nuclear war. The room full of defense experts sat uncomfortably, suppressing smirks. Then Reagan turned to General John Vessey, Chairman of the Joint Chiefs, and asked if something like that could actually happen.

Vessey came back a week later with an answer: "Mr. President, the problem is much worse than you think."

Fifteen months after that, Reagan signed a classified presidential directive titled "National Policy on Telecommunications and Automated Information Systems Security" – the first federal policy of its kind. A movie had done what years of expert warnings hadn't: It made the most powerful person in the world stop and ask the right question.

Allie Mellen, author of Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, loves to tell this story, and it captures exactly why she wrote the book. In a conversation recorded at RSA 2025, Mellen joined Threat Vector host, David Moulton, to talk about nation-state threats, attribution pitfalls, and why the security industry's biggest problem isn't technical.

"They're human stories, and if we can communicate them that way to the general public, then we'll get more people interested in cybersecurity, invested in cybersecurity, and invested in protecting their data."

That gap, between what the security community understands and what everyone else grasps, is the core problem Mellen set out to solve. And in today's geopolitical moment, closing it has never been more urgent.

Every Nation Hacks Differently

One of the central arguments in Code War is that you can't understand a nation's cyber behavior without understanding its history, doctrine and social contract. China, Russia, Iran, North Korea and the U.S. each approach offensive and defensive cyber operations from completely different starting points, and those differences matter enormously to defenders.

China operates with patience. Its attacks tend to be low and slow, focused on long-term espionage rather than loud disruption. But that changes sharply in its own region, where operations targeting Taiwan are aggressive and relentless. Russia, by contrast, is bombastic; they want you to know it was Russia. Its influence operations have been some of the most effective in modern history, studied and imitated by Iran and others.

Interestingly, the very system China built to protect itself has become a liability in one specific domain. Because Chinese operators live behind the Great Firewall, without access to western social media, they lack the cultural fluency that makes Russian disinformation so effective. "They try to use memes, but it's like ‘uncanny valley’," Mellen explains. "They just slightly miss every time and so it doesn't go viral." The walled garden that gives China control over its own population makes it harder to manipulate everyone else's.

Attribution Is a Geopolitical Tool, Not Just a Technical One

Mellen is careful about attribution, and she wants defenders to be too. The standard technical signals (coding language, infrastructure patterns, operational hours) are necessary but not sufficient. Nation-states, especially the U.S., have developed tools specifically designed to mimic other actors' signatures. AI will make that problem significantly worse.

But the bigger issue is motivation. Mellen walks through a case from the Olympics where an attack was initially attributed to North Korea, even though North Korea was actively trying to normalize relations at the time by sending Kim Jong Un's sister to the games. The actual perpetrator was Russian, using a false flag to obscure its involvement. The lesson: Attribution requires asking not just "who has the technical capability?" but "who has the motive right now, given everything happening geopolitically?"

The pitfalls are real:

  • Tools once used exclusively by intelligence agencies are now publicly available, making code signatures unreliable.
  • Working-hours analysis is easy to spoof, especially for sophisticated actors.
  • Government-controlled research in adversarial nations can deliberately skew attribution findings.
  • False flag operations are increasingly sophisticated and harder to disentangle.

Why Your Data Is a Geopolitical Asset

One of the more powerful sections of the conversation centers on a question Mellen hears constantly: why would China care about my data?

Her answer cuts through the dismissiveness. These nations aren't collecting data out of idle curiosity. They're willing to constrain companies for it, invest billions in infrastructure for it, and in some cases, far worse. "Whether you wanna be involved in that system or not, you are involved in that system," she says. "And so you can either choose to take control of your information in that environment, or you can just pretend like it's not your problem."

The historical context she offers is striking. One of the driving forces behind GDPR in the EU was the collective memory of how Nazi Germany used data to target Jewish people during the Holocaust. Europe built privacy protections into law because it had seen what happens when governments gain unrestricted access to population data. That's not an abstract concern. It's a lesson written in history that the rest of the world is still catching up to.

AI Makes Everything Harder

Mellen isn't optimistic about the trajectory. Attribution is about to get much harder. Attacks are about to get much more dynamic. And AI is the reason for both.

She points to research on Chinese state-sponsored actors using AI to orchestrate attacks across the full kill chain, with only a couple of human checkpoints in the loop. The implication isn't just faster attacks. It's more adaptive malware that can adjust to different operating environments, more convincing disinformation that clears the cultural context bar, and reconnaissance-to-exploitation cycles that move faster than most defenders can process.

The constraints that have always slowed sophisticated attackers – understanding the operating system, identifying vulnerabilities, crafting exploits, mimicking attribution – all get easier with AI. All of that becomes more dynamic. And most enterprises, Mellen acknowledges, are not yet equipped to respond effectively.

The investment required is in the basics the industry has always struggled to get right, executed now at a pace and scale that demands automation and AI on the defensive side. Fighting AI with AI isn't a vendor talking point. It's the only math that works.

More to Explore

The nation-state threats Mellen describes aren't theoretical. Unit 42 responded to more than 750 major incidents in 2025. See what they found. Download the 2026 Global Incident Response Report.

Listen to the full conversation with Allie Mellen, author of Code War, on the Threat Vector podcast

The post From WarGames to Cyberwar appeared first on Palo Alto Networks Blog.

  •  

Vietnam to develop domestic cloud so it can ditch risky overseas operators for government workloads

Vietnam has decided to develop its own cloud platform, so its government agencies can stop using foreign-owned services. Prime Minister Le Minh Hung last week announced the plan in Decision 808/QD-TTg, which lists 20 strategic technologies Vietnam wants to develop to improve its technological self-reliance and give its government the tools to tackle national challenges. Developing a national cloud computing platform is number 13 on the list. Machine translation of Decision 808 yields the following goals for the project: “Ensuring national data sovereignty and cybersecurity for the digital government and key digital economic infrastructures; forming a centralized, secure, and reliable digital and data infrastructure to serve national digital transformation; gradually replacing foreign cloud services in state agencies, reducing the risk of data leaks and breaches of state secrets.” The move is a sign that Vietnam’s government, like many others, fears entanglements with cloud providers that may struggle to escape edicts from their home jurisdictions. Yet major hyperscalers Microsoft, Google, and Tencent Cloud are yet to build facilities in Vietnam. AWS will bring one of its lightweight Local Zones to Hanoi, Alibaba Cloud intends to build a datacenter, and Huawei Cloud has expressed interest in doing likewise. Vietnam’s government wants more love from hyperscalers – the nation’s Deputy PM recently met with AWS officials and called for greater co-operation. Yet any Vietnamese government workloads currently operating in a major hyperscaler violate the nation’s own laws that require local storage of personal information! Other technologies Vietnam wants to develop include a large-scale Vietnamese language model, virtual assistants, and AI to power applications including cameras, credit risk management, and something that translates as “a national smart education platform applying controlled AI.” The nation also wants its own next-generation firewall; anti-malware software, a next-generation SIEM system, and an “AI-integrated security operations center platform.” Quantum-resistant encryption also makes the list, as does a “user and entity behavior analysis system.” Rare earth processing is another capability Vietnam desires, as are 5G expertise, the ability to build and operate autonomous and industrial robots, and improved semiconductor design skills. Vietnam is in a hurry: Decision 808 set a 2030 deadline to get this all done. According to a Tuesday post to a government news platform, 2030 is also the year in which Hanoi expects all core government services will be online, and digital infrastructure enables outcomes such as “Ensuring social welfare and supporting crime prevention and control, national security, and social order and safety” plus “Supporting scientific research and innovation.” And in 2035, Vietnam “will become a developed digital nation” in which “National databases, with population data serving as the core, will be interconnected, shared, and effectively utilized to support the development of a smart government, enabling data-driven decision-making based on real-time information.” Smart government will mean “Citizens will benefit from personalized, automated, and convenient digital services tailored to different life events.” What a time to be alive. ®

  •  

Complimentary virtual training: Get hands-on with AWS Security Services

If you’re looking to strengthen your organization’s security posture on Amazon Web Services (AWS) but aren’t sure where to start, then we’re here to help. Security Activation Days are complimentary, virtual, hands-on workshops designed to help you get practical experience with AWS security services in a single session.

What to expect

Each Security Activation Day is a 3–6 hour virtual workshop where you work directly with AWS security services in real-world scenarios. Through a combination of presentations, demos, and workshops, you will get hands-on practice guided by AWS security specialists either in your own environment or in an AWS-provided sandbox.

Topics rotate across the full spectrum of AWS security, identity, and governance services, including threat detection and response, identity and access management, network and application protection, data protection, and governance and compliance. You will leave with actionable knowledge you can apply to your workloads immediately—not a to-do list of things to research later.

Who should attend

Security Activation Days are made for builders—security engineers, cloud architects, and DevOps teams who want to go deeper on specific AWS security capabilities. Whether you’re evaluating a service for the first time or looking to operationalize something you’ve already deployed, these sessions meet you where you are.

What attendees are saying

With over 6,400 attendees across 90 events so far in 2026, Security Activation Days consistently earn a 4.8 out of 5 satisfaction rating. Participants tell us the hands-on format is what makes the difference: there’s no substitute for actually configuring a service and seeing the results in real time.

How to register

We run Security Activation Days year-round across all time zones, with new sessions added regularly. Find a session, show up ready to learn, and start building today.

If you have feedback about this post, submit comments in the Comments section below.

Ashley Nelson

Ashley Nelson

Ashley is a Sr. WW Security Specialist at AWS, where she leads worldwide customer enablement programs for Security, Identity, and Governance services.

  •  

39 Seconds — That's How Long It Takes to Lose Your Data

Not hours. Not days. It takes thirty-nine seconds from initial access to data exfiltration.

That stat, pulled from Unit 42® research, isn't hypothetical. It's what defenders are up against right now, while most organizations are still building security teams around manual detection and response workflows that were never designed to operate at machine speed.

Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, put it plainly in a recent conversation on the Threat Vector podcast, recorded live at RSA this year:

If you're applying a manual detection and response capability, you are going to be beat by the attacker every day.

It's the kind of sentence that should make security budgets move faster.

The Threat Landscape Doesn't Wait for Organizational Consensus

Whitmore has spent nearly 25 years tracking nation-state actors, and she's unequivocal about what's changed. The adversaries today aren't just better funded and more sophisticated. They're faster, and increasingly AI-powered.

Consider what's converging right now:

Chinese nation-state groups like Volt Typhoon and Salt Typhoon have been operating with near-surgical patience inside critical infrastructure, leveraging existing administrative tools to avoid detection. Volt Typhoon is focused on military prepositioning in power grids, water systems and telecommunications. Salt Typhoon has been systematically collecting intelligence from those same networks. Neither group announces itself with novel malware. They disappear into environments using the tools already there.

Meanwhile, threat actors tied to Iran are operating with entirely different objectives: tactical disruption and destruction. And financially motivated cybercriminal groups are automating ransomware campaigns at a pace that has compressed attack timelines from weeks to minutes.

Every CISO is being asked to defend against all of them simultaneously, while also managing their organization's AI expansion, and doing it without adding headcount.

Speed Is the New Perimeter

When Whitmore references the 39-second exfiltration window, she's pointing at something structural, not just alarming. It reflects how completely the attacker's operational tempo has shifted.

The 72-minute data breach figure from Unit 42 Incident Response data is equally striking: From initial access to full data theft in the time it takes to sit through a decent movie. A 400-times year-over-year increase in exfiltration speed isn't a trend. It's a fundamental change in the physics of an attack.

"There is no way that we are going to defeat these adversaries if we are working at manual speed," Whitmore explained. The answer isn't just more analysts. It's fighting AI with AI, letting machines handle the volume and velocity, so humans can focus on the problems that actually require human judgment.

Two Sides of the Same AI Problem

Here's where the conversation gets more nuanced and more important.

Most of the AI-in-security conversation focuses on the offensive side: adversaries using generative AI to craft convincing phishing lures, accelerate reconnaissance and automate attack sequences. That's real, and it's accelerating.

But Whitmore raised the other half of the problem, one that gets far less attention: The attack surface that organizations are creating by deploying AI without securing it.

Innovation of AI doesn't so far outpace the security of AI.

This is the outcome she wants to see. Right now, that's not what's happening. Business pressure to deploy AI quickly is outrunning the security architecture required to protect it. Every new AI deployment touching production data, cloud APIs and enterprise systems expands the attack surface. Shadow AI, prompt injection, model poisoning: These are not future threat vectors. They're present tense.

The distinction Whitmore draws is useful: AI for cybersecurity (faster detection, automated response, reduced analyst burden) needs to advance in parallel with cybersecurity for AI (securing the models, prompts and data pipelines that organizations are building on). One without the other creates exactly the kind of asymmetry attackers will exploit.

Visibility Is Where It Starts

Whether the conversation is about defending against nation-state actors or securing AI deployments, Whitmore keeps returning to the same foundation of visibility.

Not complexity. Not more tools. Visibility is a single, unified view of what's happening across endpoints, networks, cloud and AI systems, that’s fast enough to matter when the window is measured in seconds, not days.

For SOC teams, that means being able to detect and contain a threat before a compromise of one system becomes an enterprise-wide event. For CISOs thinking about AI governance, it means understanding what's being deployed, what's being prompted, and where the data is going before an incident surfaces for them.

The organizations Whitmore sees succeeding aren't the ones with the largest security budgets. They're the ones with the clearest picture of their environment, and the architecture to act on it in real time.

The Win Looks Different Now

Perhaps the most important reframe in the conversation is that the objective is no longer to prevent every attack. That goal is not achievable against adversaries operating at AI speed with nation-state resources.

The win is resilience. Detecting fast and containing fast. Keeping one compromised endpoint from becoming an enterprise-wide breach.

That shift in framing, from prevention to rapid recovery, has significant implications for how security teams are built, how AI is integrated into workflows, and how CISOs make the case for investment to leadership that still thinks in terms of keeping attackers out.

The adversaries already know the perimeter is gone. The question is whether your defense strategy has caught up.

Want to Dig in More?

Listen to the full interview here.

The Unit 42 2026 Global Incident Response Report goes deep on the threat trends shaping how modern attacks unfold. If you want the data behind the headlines, start here. Download the Report →

The post 39 Seconds — That's How Long It Takes to Lose Your Data appeared first on Palo Alto Networks Blog.

  •  

Security posture improvement in the AI era

It’s only been a few weeks since Anthropic announced the Claude Mythos Preview model and launched Project Glasswing with AWS and other leading organizations. This has generated a lot of discussion about the future of cybersecurity and what the ever-increasing capabilities of foundation models mean to organizations.

As AWS CISO Amy Herzog pointed out in the Project Glasswing announcement, “At AWS, we build defenses before threats emerge, from our custom silicon up through the technology stack. Security isn’t a phase for us; it’s continuous and embedded in everything we do.”

Read more from Amy about this in Building AI defenses at scale: Before the threats emerge.

While the discussion around the future of cybersecurity is important, the only thing we know for certain is that organizations need to be able to react quickly to the rapid changes AI is bringing to technology and business in general. And you can’t react quickly if your security fundamentals aren’t dialed in.

The security hygiene gap

It’s easy to assume you have the foundational security elements covered, or to overlook some completely. Basic security use cases like identity management, threat detection, vulnerability management, data protection, and network security can be inconsistently implemented across cloud environments. While AI is reshaping the security landscape, strong security fundamentals continue to be essential for every organization, regardless of size or industry.

These are the security basics that matter whether or not you’re adopting AI: patching consistently, enforcing least-privilege access, enabling logging and monitoring, encrypting data at rest and in transit, and reviewing security configurations regularly. When these fundamentals are in place, you’re better positioned to take advantage of AI-driven tools and respond to newly discovered vulnerabilities, wherever they come from.

While the concepts that drive security fundamentals are universal, implementing them in your environment is best done with an understanding of the context unique to your organization. That’s why we have a multitude of freely available materials—like the AWS Well-Architected Framework—that you can use to help ask the right questions and implement changes in your environment. We also offer programs like the Security Health Improvement Program (SHIP) to help you improve your security posture through prescriptive guidance and continuous improvement.

What is the Security Health Improvement Program (SHIP)?

SHIP is a no-cost program available to every AWS customer, regardless of support tier. SHIP provides a proven, data-driven methodology to:

  • Assess your current security posture using data from your AWS environment
  • Identify specific opportunities to improve across 10 core security use cases
  • Build a prioritized action plan tailored to your environment
  • Establish a mechanism for continuous security improvement

The program is led by AWS Solutions Architects and Technical Account Managers who take you through a personalized report, contextualize findings for your environment, and help you build a prioritized action plan.

Why SHIP matters in the AI era

Project Glasswing highlights an important shift: AI-powered tools are accelerating the pace of vulnerability discovery, which means organizations need to be prepared to assess and respond to findings and changing situations faster than before. In addition to external factors, as organizations adopt AI—whether deploying foundation models, building agentic workflows, or using AI-powered services—how they implement their security controls must change as well. A strong security foundation is what makes confident AI adoption possible.

Here’s how SHIP helps:

Address foundational security gaps proactively

SHIP uses a data-driven methodology to identify opportunities to improve and optimize across 10 core security use cases: threat detection, cloud security posture management, application security testing, configuration management, access governance, vulnerability management, application protection, network security, encryption, and secrets management. The program includes a SHIP assessment to identify critical security findings related to your current security posture, so your team can build a prioritized roadmap for improvement tailored to your environment.

Establish the security baseline AI workloads require

Before you deploy your first model on Amazon Bedrock or build agentic workflows with Amazon Bedrock AgentCore, you need confidence that your underlying infrastructure follows security best practices. SHIP uses actual data from your environment to provide prescriptive, specific guidance rather than generic security recommendations. This is especially relevant as AI-driven vulnerability discovery tools become more widely available: organizations with strong baselines will be able to act on new findings quickly and effectively.

Build a mechanism for continuous security improvement

As AI capabilities evolve, organizations benefit from having a repeatable process to assess and strengthen their security posture over time. SHIP establishes the methodology and mechanisms for your team to continuously assess, prioritize, and improve. By building this operational capability, you’re strengthening your organization’s ability to adapt and contributing to broader industry resilience. As the cybersecurity community integrates AI into defense strategies, SHIP helps you maintain foundational best practices so you can adopt these innovations effectively and with confidence.

Getting started is straightforward

SHIP is available today, at no cost, to every AWS customer. Here’s how to get started:

  1. Talk to your AWS account team. Ask about scheduling a SHIP engagement, or request one directly on the SHIP page.
  2. Attend a SHIP Activation Day. AWS regularly hosts hands-on workshops where you can run the SHIP assessment with AWS Solutions Architects and start building your improvement plan.
  3. Explore the prescriptive guidance. Consult the AWS Well-Architected Framework – Security Lens for documentation, reference architectures, and implementation guides you can start using today.

Take the next step together

AWS is committed to being the most secure cloud, from our participation in Project Glasswing to the security embedded in every layer of our infrastructure. Security is a shared responsibility, and programs like SHIP give customers the tools, guidance, and support to strengthen their security foundations so they can build confidently, no matter what comes next.

Ready to improve your security posture? Contact your AWS account team to schedule a SHIP engagement, or visit the SHIP resources page to learn more.

Celeste Bishop

Celeste Bishop

Celeste is a Senior Security Specialist at AWS, based in Austin, Texas. Over the past five years, she has held a range of security-focused roles spanning field and product marketing, developer relations, and executive engagement. She partners closely with customers, security leaders, and field teams to help organizations operate securely in the cloud. Celeste holds a Bachelor’s in Economics from the University of Texas at Austin.

  •  

Securing the UK’s Digital Future

Our Commitment to Data Autonomy and National Resilience

The United Kingdom has established itself as a leading global cyber power. Over the last decade, Palo Alto Networks has been proud to work alongside British institutions to protect the digital borders of a highly innovative economy. As UK organisations navigate an evolving threat landscape and adopt transformative technologies, like AI, the need for security partners who understand British operational realities has never been greater.

The Path to Digital Autonomy, Resilience and Control

Organisations today require more than a technology provider. They need a partner that understands the specific legal frameworks and strategic priorities of the British landscape. We are reaffirming our deep commitment to the UK, safeguarding British data as a core part of national resilience, even as both technology and cyber adversaries evolve.

The targeting of UK infrastructure is a daily operational reality. According to our Unit 42 2026 Global Incident Response Report, attackers are moving at unprecedented speed, with exfiltration speeds for the fastest attacks quadrupling in 2025. Identity weaknesses played a material role in almost 90% of Unit 42® investigations, as attackers increasingly exploit stolen credentials and fragmented identity systems to escalate privileges and move laterally. These threats span across all sectors, from NHS patient data to local government systems and energy networks.

UK organisations need partners who understand their unique requirements. While our broader European commitments provide a strong foundation, we recognise that the UK requires a dedicated focus across data protection, critical infrastructure security and public-private collaboration. This includes a deep-rooted local presence, aligning our operations with national standards of protection to support British ingenuity and ambition.

Control Over Your Data

Genuine data control requires two things: understanding exactly how and under which laws your information is handled and having the technical capabilities to enforce that control.

For UK customers, we provide the capability to host data within UK-based infrastructure, ensuring that critical data can be stored in regions that align with UK data protection requirements. Additionally, for applicable products and services, we offer Bring Your Own Encryption Keys (BYOK) capabilities, giving you direct control over the encryption protecting your data.

Our agreements are built to comply with UK GDPR requirements and include the necessary protections for any cross-border data transfers. But beyond contractual obligations, we operate on a fundamental principle: Your data serves only the purpose for which you’ve engaged us.

How we handle different data categories:

1. Customer and Personal Data Are Processed Only to Serve You

We process your Customer Data and Personal Data exclusively to deliver the services you have purchased. This includes the content of your communications and files uploaded for support. The purpose is singular: delivering the security and protection you’ve contracted us to provide.

2. Systems Data Is Used to Enhance Functionality and Collective Defence

To provide effective security, our products generate Systems Data, which includes technical logs, performance metrics and threat indicators. This information serves three main purposes: ensuring the day-to-day functionality of your services, enabling our teams to provide expert technical support and troubleshooting, and powering our global threat research capabilities.

When a new threat is detected against a specific UK sector, our entire network receives updated protection within minutes. This allows British organisations to benefit from global threat intelligence. We handle Systems Data in ways that preserve your operational privacy, ensuring the intelligence value comes from understanding threat patterns, not identifying individual organisations.

For detailed technical information on how we categorise and handle data, see our Customer Data, Personal Data and Systems Data whitepapers.

Transparency in Practice

We publish a biannual Transparency Report detailing all government and law enforcement data requests we receive. This isn’t simply about compliance. It’s about providing UK organisations with verifiable evidence of how we handle requests, enabling informed risk assessment and governance oversight. For more information, please visit the Privacy Section in our Trust Center.

Securing Critical National Infrastructure

The UK’s 13 sectors of Critical National Infrastructure represent the backbone of society. These sectors require security solutions built with an understanding of their unique threat models, from the specific requirements of an NHS trust to the challenges facing an energy provider.

We currently serve hundreds of UK public sector organisations across government, health and critical infrastructure sectors, which include the UK Government, UK Home Office and the Ministry of Justice.

Operational Resilience

For the UK’s most critical services, operational resilience is paramount. Our security platforms are designed for high availability and reliability, helping organisations maintain continuous protection even during disruptions.

Trust and Transparency

Palo Alto Networks is deeply integrated into the UK’s security ecosystem, ensuring our solutions exceed national benchmarks for resilience and transparency.

We hold Cyber Essentials Plus certification and align with the NCSC Cloud Security Principles, providing assurance to customers that we adhere to the highest security protocols to protect their most critical assets. As a Software Security Ambassador and a committed supporter of the NCSC Telecom Vendor Assessment, we are committed to enhancing the security of the UK’s telecommunications and software supply chains.

Beyond compliance, our Unit 42 team serves as an NCSC-assured Cyber Incident Response (CIR) Enhanced Level provider, offering specialised incident support to help UK organisations navigate and recover from the most complex incidents. For customers with specific requirements, particularly in defence and national security, we can provide support from personnel in countries with compatible security standards and legal frameworks. We are committed to the Telecommunications Security Act (TSA) Code of Practice, supporting the resilience of the UK’s public telecommunications networks.

Strengthening Local Expertise with National Impact

Our investment in the UK extends across our people, infrastructure and local expertise. Operating from our London hub, we remain deeply connected to the communities we serve and make a direct and indirect contribution to the UK economy. Our UK-based teams span engineering, threat research, professional services, policy and security strategy, and have a deep understanding of the UK market and the requirements of our customers. We also partner with NCSC CyberFirst and others on developing the next generation of cyber talent, and our Cyber Academy Program partners with universities and colleges all over the UK to train the next generation of cyber defenders.

A Partnership Built on Trust and Verifiable Commitments

The UK’s digital autonomy increasingly depends on its ability to secure both cyber infrastructure and the emerging AI economy. This requires partnerships that serve the UK’s long-term national interests, grounded in trusted institutions, local expertise and transparency that enables commitments to be verified, not simply asserted.

We recognise that the UK’s cyber landscape is shaped by its legal framework, strategic priorities and threat environment. From protecting critical infrastructure to enabling the secure adoption of AI, organisations across the UK need to trust their security partner to deliver on their commitments. Palo Alto Networks is committed to maintaining and increasing that trust through verifiable action, transparency, accountability and an enduring partnership.

To learn more about our comprehensive commitment to digital trust, privacy and security, visit the Palo Alto Networks Trust Center.

The post Securing the UK’s Digital Future appeared first on Palo Alto Networks Blog.

  •  

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

Blogs

Blog

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

SHARE THIS:
Default Author Image
April 6, 2026

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.

Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.

Emojis as a Functional Layer of Communication

Within threat actor communities, emoji usage is often structured and repeatable.

Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.

This is especially common in:

  • Telegram fraud channels
  • Phishing and carding communities
  • Service marketplaces and access broker groups

In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.

Common Emoji Categories and What They Signal

Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.

Financial Activity and Monetization

Emojis related to money are among the most frequently used.

Common examples include:

  • 💰 / 💸 — Profit, successful fraud, or payouts
  • 💳 — Credit cards, carding activity, or stolen payment data
  • 🏦 — Banks or financial institutions
  • 🪙 — Cryptocurrency-related activity

These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.

Access, Credentials, and Compromise

Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.

Examples include:

  • 🔑 — Credentials or account access
  • 🔓 — Successful breach or unlocked account
  • 📥 / 📤 — Data exfiltration or transfer
  • 🗂 — Databases or collections of stolen data

In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.

Tools, Automation, and Services

Emojis are also used to signal tooling and service offerings.

Examples include:

  • 🤖 — Bots, automation tools, or malware
  • ⚙ — Configuration, setup, or infrastructure
  • 🧰 — Toolkits or bundled services
  • 📡 — Infrastructure, communication channels, or delivery mechanisms

These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.

Targets and Geography

Threat actors frequently use emojis to represent targets or regions.

Examples include:

  • 🏢 — Corporate or enterprise targets
  • 🎯 — Targeting or “hits”
  • 📍 — Specific targets, drop locations, or points of interest
  • 🌐 — Global campaigns
  • Country flags — Specific geographic targeting

This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.

Urgency, Success, and Status

Some emojis are used to communicate momentum or importance.

Examples include:

  • 🔥 — High-value or trending activity
  • ✅ — Verified success or working method
  • 🚨 — Urgent update or active campaign
  • 📈 — Growth or increased results

These signals are particularly important in fast-moving channels where actors compete for attention.

Emojis as a Tool for Obfuscation

Beyond signaling, emojis are also used to evade detection.

Threat actors may substitute emojis for keywords associated with:

  • Fraud techniques
  • Financial activity
  • Specific platforms or services

For example, replacing “credit card” with 💳 or “bank” with 🏦 can help bypass basic keyword filters or reduce visibility in automated moderation systems.

When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.

Building Identity and Reputation Through Emoji Patterns

Emoji usage is not just functional. It can also be behavioral.

Over time, actors often develop recognizable patterns in how they use emojis:

  • Consistent combinations in sales posts
  • Repeated formatting styles
  • Unique ways of structuring messages

These patterns can serve as lightweight identifiers, helping analysts:

  • Track the same actor across different channels
  • Identify reposted or syndicated content
  • Link activity between platforms

In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.

Cross-Language Communication in Global Threat Ecosystems

Illicit communities are inherently global, spanning multiple languages and regions.

Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:

  • Large Telegram channels with international membership
  • Cross-border fraud operations
  • Decentralized marketplaces

For example, a combination of 💳 + 💰 + 🌍 can communicate “global carding opportunity” without requiring a shared language.

This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.

Context Still Determines Meaning

Despite these patterns, emoji usage is not universal or fixed.

The same emoji can carry different meanings depending on:

  • The platform (Telegram vs. Discord vs. forums)
  • The specific community
  • The surrounding text and context

For example, 🔥 may indicate “high value” in one group, but simply “active discussion” in another.

For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.

What This Means for Threat Intelligence Teams

Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.

Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:

  • Detection of emerging campaigns
  • Identification of high-value activity
  • Attribution and actor tracking
  • Interpretation of intent and sentiment

While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.

Supporting Security Teams with Threat Intelligence

Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.

Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.

This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Begin your free trial today.

The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

  •  

Introducing the Landing Zone Accelerator on AWS Universal Configuration and LZA Compliance Workbook

November 20, 2025: Original publication date of this post. This post has been updated to reference the most recent version of the LZA Compliance Workbook published to AWS Artifact in March 2026.


We’re pleased to announce the availability of the latest sample security baseline from Landing Zone Accelerator on AWS (LZA)—the Universal Configuration. Developed from years of field experience with highly regulated customers including governments across the world, and in consultation with AWS Partners and industry experts, the Universal Configuration was built to help you implement security and compliance at scale for on your regulated workloads. By setting a high bar with the latest AWS security best practices, the Universal Configuration can help address technical control requirements from compliance frameworks across different geographic regions and industry verticals. The Universal Configuration’s multi-account security architecture provides a foundation to host your diverse workload requirements today along with providing the ability to explore the generative AI and agentic AI solutions that will shape your organization in the future. It can also replace months of complex planning and design by deploying a comprehensive security and compliance-driven environment based on AWS Well-Architected principles in a matter of hours.

As organizations grow, they typically pursue or must adhere to new security compliance certifications. LZA and the Universal Configuration help organizations of all sizes and phases in their security and compliance journey. The speed of deployment, step-by-step documentation, and compliance resources can reduce traditional assessment and authorization timelines by months and result in more predictable and successful audit outcomes. This enables more freedom to invest resources to grow the business instead of choosing between security and compliance tradeoffs.

The Universal Configuration helps organizations:

  • Automate the deployment of a secure multi-account AWS environment
    • Foundational security controls based on AWS Well-Architected best practices
    • Apply consistent and predictable security controls post-deployment
    • Enable and integrate with native AWS security, identity, and compliance services
  • Implement controls across system layers
    • Organization-wide security architecture
    • Perimeter and resource-specific preventative, proactive, and detective controls
    • Support for multi-AWS Region resilience, disaster recovery, and active failover
  • Establish a foundation for security and compliance readiness
    • Built-in AWS security best practices and technical implementation statements
    • Map LZA capabilities across global and industry-specific compliance frameworks
    • Deploy hundreds of controls hours instead of months

The LZA Compliance Workbook

The LZA engine has been a trusted tool for quickly deploying secure multi-account AWS environments for over 4 years. It is also cost effective because you pay only for the AWS services used to operate your environment. The Universal Configuration is the first sample configuration accompanied by the LZA Compliance Workbook available on AWS Artifact. It is a first-of-its-kind resource with detailed control mappings showing how the Universal Configuration can support different industries and regions, helping you address requirements from frameworks listed below.

  • NIST 800-53 Rev5
  • C5: 2020 (Germany)
  • HIPAA
  • SOC 2
  • CMMC Level 2
  • ISO/IEC 27001 Annex A
  • US Dept of War CCI
  • NERC-CIP
  • NIST 800-171
  • NATO D-32 Appendix B
  • NIST CSF 2.0
  • CIS Critical Controls v8

The LZA Compliance Workbook is regularly maintained to reflect the latest Universal Configuration baseline and will include additional compliance mappings in future releases. The workbook contains detailed security configuration descriptions based on the Universal Configuration deployment files, along with control requirement mappings and implementation statements that translate its security capabilities into a compliance-friendly format. By combining AWS security best practices with global compliance expertise, the Universal Configuration delivers predicable security outcomes while also helping you meet regional and industry requirements.

Getting started

To get started with the Landing Zone Accelerator on AWS Universal Configuration, the LZA Implementation Guide walks you through the steps, use cases, and considerations when deploying with LZA. You can download the LZA Compliance Workbook from AWS Artifact today and configure notifications to receive emails when future versions are released. You can view the deployment files and additional technical implementation guidance on the GitHub Universal Configuration sample and documentation page. Additionally, visit the AWS Partner Network (APN) for help with audit and advisory initiatives, cloud migrations, deploying the LZA Universal Configuration, and other services. You can visit the AWS Partner Finder tool and search by solution for Landing Zone Accelerator for the latest LZA Partner offerings.

If you have feedback about this post, submit comments in the Comments section below.

Kevin Donohue

Kevin Donohue

Kevin is a Senior Security Compliance Engineer at AWS, where he builds solutions and resources to help AWS customers achieve their security and compliance goals. Prior to joining the Landing Zone Accelerator team in AWS Professional Services in 2024, Kevin began his tenure with AWS Security in 2019 specializing in FedRAMP compliance and the shared responsibility model.

Christine Screnci

Christine Screnci

Christine is a Principal Technical Product Manager at AWS, where she specializes in developing and scaling enterprise-level solutions. Christine began her tenure with AWS in 2016 working with Worldwide Public Sector customers to improve the migration and modernization journey through globally scaled solutions. She is passionate about hypothesis-driven development and experimentation to improve customer experiences with AWS technologies.

Bhavish Khatri

Bhavish is a Senior Delivery Engineer at AWS, where he builds enterprise-scale solutions to help large organizations achieve their compliance goals. Bhavish started at AWS in 2018, specializing in multi-account AWS deployments and focusing on LZA and the Universal Configuration solution. He helps organizations build secure, scalable cloud environments that align with global compliance frameworks and regulatory requirements across diverse sectors.

  •  

Closing the Gap by Enhancing Visibility and Mitigating Risks

In the race to digitise public services, the UK’s digital estate has grown into a vast, borderless ecosystem that manual audits can no longer track. For UK Government departments, local authorities and NHS trusts, it is a sprawling, shifting landscape of cloud workloads, legacy infrastructure, shadow IT and third-party supplier connections.

This complexity creates blind spots that modern threats exploit. Recognising this vulnerability, the UK Government is moving toward a secure-by-design digital infrastructure, with the 2026 Government Cyber Action Plan (GCAP) setting a high bar for resilience. A central theme of the GCAP is the urgent need for the government to have better visibility of cyber security and resilience risk. Fundamentally, organisations cannot secure what they cannot see. As the GCAP explicitly states, the Government will use “data sources from across the government to truly understand government-wide and departmental cyber risks.”

The Challenge: Visibility in a “Landscape”

Many public sector organisations rely on a complex web of spreadsheets, data calls, legacy tools and manually curated lists to create an inventory of their internet-connected assets. But attackers do not look at an organisation's internal lists; they scan the internet for what they have forgotten to secure. Whether it is an unpatched server from a legacy project or a misconfigured database in a department, these "unknown unknowns" are the primary entry points for attackers.

The Strategic Mission: Empowering the Public Sector and Critical Industries

Palo Alto Networks Cortex Xpanse® is an active external attack surface management (EASM) solution that provides an outside-in view of organisations' entire digital footprint. It helps leaders meet national resilience goals:

  • Comprehensive, Continuous Visibility: Xpanse scans the global internet space continuously and identifies every asset associated with an organisation, without requiring software agents to be installed on your systems.
  • Accelerate Response: Leveraging automation, the solution streamlines response processes and enhances collaboration across dispersed teams from the sharing of findings to tracking actions and remediation.
  • Supply Chain Integrity: Inline with the new Cyber Security and Resilience Bill (bringing managed service providers and critical third parties into scope), Xpanse allows organisations to assess the internet-facing security posture of third-party partners and suppliers, ensuring a weak link elsewhere doesn't compromise the broader mission.
  • Alignment with GovAssure: Xpanse provides a consolidated risk profile and inventory for all internet-facing and cloud assets required for GovAssure assessments, turning a manual, months-long audit process into a continuous, data-driven cycle.
  • Investment prioritisation: Xpanse provides that much needed visibility to help executive committees and boards prioritise investment decisions on legacy IT and technical debt.

Aligning to National Cybersecurity Centre (NCSC) Guidance

How external attack surface management products work.

Palo Alto Networks Cortex Xpanse aligns with the National Cyber Security Centre (NCSC) external attack surface management (EASM) buyer's guide by providing automated discovery, continuous monitoring and risk prioritisation of internet-facing assets. It replaces manual, point-in-time audits with a proactive, agentless solution. By automating the discovery of all internet-accessible assets (including shadow IT and unmanaged cloud operations) the platform fulfills the NCSC’s core requirement for continuous global monitoring and rapid attribution. This data-driven approach allows for the automated prioritisation of critical exposures, such as RDP, and integrates seamlessly with multiple third-party automation and visualisation tools, including Cortex XSOAR® and XSIAM, to accelerate remediation with national incident response standards.

In fact, with Palo Alto Networks deployment of Cortex Xpanse, we were able to achieve a 95% reduction in external vulnerability management spending across more than 700,000 cloud instances, while improving coverage and outcomes.

Palo Alto Networks Cortex Xpanse Capabilities
  • Discover Assets: Leveraging organisations' known asset inventory and other data points, Xpanse performs continual, automated discovery of all internet-accessible assets, effectively eliminating blind spots created by shadow IT and unmanaged cloud operations.
  • Obtain Information: Always-on, continuous monitoring of an organisation's entire attack surface through daily scans of the global IP address space, ensuring that newly exposed services are identified quickly and accurately.
  • Perform Analysis: Xpanse automates and prioritises alerts on all identified risks by severity, enabling organisations to optimise resolution and risk management, allowing teams to properly allocate resources and focus on the most critical risks to the organisation.
  • Display Information and Provide Advice: Leveraging a unified view of the internet facing and cloud-based estate, Xpanse provides specific resolver guidance for every identified issue, supporting and monitoring automated resolution through multiple native integrations.
  • Monitor Risk: Always on, discreet continual monitoring provides an independent real time status of the digital estate. Leveraging the threat intelligence capabilities of Palo Alto Networks, Xpanse is uniquely positioned to provide rapid coverage for newly discovered vulnerabilities, exploits or misconfigurations.

Securing the public sector requires a move from manual, point in time assessments to data-driven intelligence. Cortex Xpanse provides the foundations to remove blind spots, secure the supply chain and prevent unknown vulnerabilities in the face of sophisticated threats.

For further information and case studies, visit the links below, or schedule a demo.

  • Palo Alto Networks: Slash false positives, remediation time budget with Cortex attack surface management.
  • U.S. Pentagon: Palo Alto Networks Cortex Xpanse supercharge the Cyber Defences for the Department of Defense.
  • Accenture: Secure rapid growth with Cortex Xpanse.

The post Closing the Gap by Enhancing Visibility and Mitigating Risks appeared first on Palo Alto Networks Blog.

  •  

Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentication

Explore Google’s synced passkey architecture. Unit 42 details its mechanisms, key management, and secure communication in passwordless systems."

The post Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentication appeared first on Unit 42.

  •  

Microsoft Authenticator could leak login codes—update your app now

A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device. 

Deep links are predefined URIs (Uniform Resource Identifiers) that allow direct access to an activity in a web or mobile application when clicked. In simple terms, they are specifically constructed links used to open an app and complete actions like signing in.

Microsoft Authenticator is a mobile app that generates time-based one-time codes and handles sign-in links and QR-based logins for Microsoft and other accounts. It is widely used for multi-factor authentication (MFA) on personal phones, including BYOD (Bring Your Own Device) devices that protect access to corporate and production services.

This vulnerability affects users who have Microsoft Authenticator installed on an iOS or Android device. For the vulnerability to be exploited, the user would first need to install a malicious app on their device and then accidentally choose that app to handle a sign‑in deep link.

If that happens, the malicious app receives the one-time code or sign-in information and can potentially use it to authenticate as the victim.​

If successful, an attacker could:

  • Complete login flows to services that trust your Microsoft Authenticator codes.
  • Access the information and services available to the compromised account (email, files, cloud apps, or production systems in a BYOD context).​
  • Potentially pivot to additional accounts if those are also protected by codes delivered via Authenticator on the same device.

How to stay safe

The fix for CVE-2026-26123 is already included in current releases, so installing updates is the most effective mitigation.

  • On iOS: Open the App Store. Tap the My Account button or your photo at the top of the screen. Scroll down to see pending updates and release notes. Tap Update next to an app to update only that app, or tap Update All.
  • On Android: Open the Google Play Store app. At the top right, tap the profile icon. Tap Manage apps & device. Under “Updates available,” tap See details. Next to the app you want to update, tap Update. To update all your apps at the same time, tap Update all.

Note: If your device manufacturer has implemented a different method to apply app updates, the steps may vary slightly.

If you are temporarily unable to update the app, avoid installing new apps that request to handle authentication links, QR-based sign-ins, or web-to-app sign-in flows.

When scanning QR codes or tapping sign-in links, verify that the handler is Microsoft Authenticator or another trusted app, and not an unknown, recently installed, or otherwise suspicious app.​

Where possible, use alternative MFA options you already trust (such as built-in authentication in your password manager or platform-specific solutions like Apple’s password features) until you can apply the update.

Use anti-malware protection for your mobile devices that can help detect malicious apps.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

  •  

Sextortion “I recorded you” emails reuse passwords found in disposable inboxes

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”

If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.

The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.

Here’s one of the emails:

screenshot of sextortion email

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!

The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.

Where the password comes from

I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.

FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.

As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.

My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.

So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.

How to stay safe

Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:

  • Don’t rush. Scammers rely on fear and urgency. Take a moment to think before reacting.
  • Don’t reply to the email. Responding tells the attacker that someone is reading messages at that address, which may lead to more scams.
  • Change your password if it appears in the email. If you still use that password anywhere, update it.
  • Use a password manager. If you’re having trouble generating or storing a strong password, have a look at a password manager.
  • Don’t open unsolicited attachments. Especially when the sender address is suspicious or even your own.
  • Don’t use disposable inboxes for important accounts. The mail in that inbox might be available for anyone to find.
  • For peace of mind, turn your webcam off or buy a webcam cover so you can cover it when you’re not using the webcam.

Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

  •  

Sextortion “I recorded you” emails reuse passwords found in disposable inboxes

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”

If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.

The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.

Here’s one of the emails:

screenshot of sextortion email

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!

The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.

Where the password comes from

I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.

FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.

As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.

My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.

So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.

How to stay safe

Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:

  • Don’t rush. Scammers rely on fear and urgency. Take a moment to think before reacting.
  • Don’t reply to the email. Responding tells the attacker that someone is reading messages at that address, which may lead to more scams.
  • Change your password if it appears in the email. If you still use that password anywhere, update it.
  • Use a password manager. If you’re having trouble generating or storing a strong password, have a look at a password manager.
  • Don’t open unsolicited attachments. Especially when the sender address is suspicious or even your own.
  • Don’t use disposable inboxes for important accounts. The mail in that inbox might be available for anyone to find.
  • For peace of mind, turn your webcam off or buy a webcam cover so you can cover it when you’re not using the webcam.

Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

  •  

How the National Cyber Strategy Secures Our Digital Way of Life

A Pivotal Moment for National Security

As the digital landscape undergoes profound shifts, the recently released National Cyber Strategy provides the essential foundation for enduring American leadership. By prioritizing the disruption of hostile actors, future-proofing networks, accelerating quantum readiness, and securing the AI frontier, the strategy provides the strategic clarity necessary to protect our digital way of life from sophisticated adversaries. Palo Alto Networks commends National Cyber Director Sean Cairncross for his leadership and looks forward to working with the administration to operationalize this strategy.

Each pillar of the strategy galvanizes meaningful action to advance our collective defense:

Shape Adversary Behavior (Pillar 1)

This signals a decisive shift toward the proactive disruption of malicious actors. The Trump Administration has made clear that the U.S. Government should impose real costs on adversaries to change their behavior. While the private sector is already executing discrete disruptions against malicious actors, coordination has historically been fragmented. The strategy identifies that increased collaboration with private sector entities, who possess unique insight into adversary behavior, can in turn enable more impactful deterrence.

Promote Common Sense Regulation (Pillar 2)

The strategy appropriately recognizes that complexity is the enemy of security. A focus on measurable improvements in cyber outcomes (versus check-the-box compliance exercises) collectively makes us all safer. While much attention is rightfully paid toward harmonizing incident reporting requirements, which Palo Alto Networks wholeheartedly supports, let’s not stop there. The federal government can lead by example by consolidating and streamlining federal government software compliance certifications. For example, there should be logical reciprocity between FedRAMP High and DoW IL-5 certifications.

Modernize and Secure Federal Government Networks (Pillar 3)

In addition to the necessary attention on AI-powered cyber defense, cloud security and zero trust network architecture, Palo Alto Networks applauds the discrete focus on quantum-safe security ahead of “Q-Day,” the point where quantum computing capabilities will compromise legacy public key encryption that has underpinned cybersecurity for decades. As Federal CISO Mike Duffy recently stated, "Modernization without considering PQC readiness or cryptographic agility is really creating technical debt in the future, something that we don’t want to see ever.”

To address this challenge, Palo Alto Networks provides a structured quantum-safe framework organized into four stages:

  • Continuous Discovery – Automating ecosystem ingestion to identify cryptographic dependencies.
  • Risk Assessment & Prioritization – Evaluating vulnerabilities to establish a data-driven remediation roadmap.
  • Comprehensive Remediation – Executing the transition to post-quantum algorithms across the architecture.
  • Governance & Crypto-Hygiene – Maintaining long-term visibility and management.

The bottom line is that 2035 is too late. Quantum readiness must accelerate today, and this strategy will set a critical North Star to drive the necessary urgency.

Secure Critical Infrastructure (Pillar 4)

Critical infrastructure resilience is central to our homeland security, economic security, public health and safety. Unfortunately, critical infrastructure entities are increasingly under assault from emboldened cyber adversaries.

In fact, Palo Alto Networks research shows some form of operational disruption in up to 86% of major cyber incidents. Our 2026 Global Incident Response Report underscores another sobering reality: These entities are under assault from all angles. In 87% of cyber incidents, attacks targeted multiple attack surfaces, which spanned the network, cloud, endpoints and identity.

Recognizing that you can’t secure what you can’t see, we need a national-level effort to identify, prioritize and harden the critical infrastructure that the American people depend upon. This strategy puts an important marker in the ground to revitalize those efforts.

Sustain Superiority in Critical and Emerging Technologies (Pillar 5)

Palo Alto Networks was pleased to see the strategy reinforces the core tenets of the AI Action Plan, emphasizing that "secure-by-design" principles for AI technologies are non-negotiable and that AI adoption and AI security can and must be inexorably linked.

Enterprises should be able to deploy AI confidently without fear of data leakage, model tampering or rogue AI agents. However, despite our research showing an 88% success rate of “jailbreaking” techniques against widely deployed AI models, only 6% of organizations currently have an AI security strategy. It’s time to flip this paradigm and put defenders back in the driver’s seat in this AI-first moment.

To support this emerging consensus around the importance of promoting AI security, we developed the Secure AI by Design Policy Roadmap. This framework provides a four-part construct to evaluate the evolving dimensions of threats to AI systems. Palo Alto Networks is also proud to make its comprehensive AI security suite, Prisma® AIRS™, available to all federal agencies at substantial discounts through GSA’s OneGov Initiative.

Build Talent and Capacity (Pillar 6)

Recognizing America’s cyber workforce as a “strategic asset,” the strategy calls for a pragmatic and accessible pipeline for developing talent. The explicit recognition that we should take advantage of existing avenues across government, industry and academia is important. For example, Palo Alto Networks is proud of the impact of its Cybersecurity Academy – that provides free, NIST Framework-aligned curricula covering essential domains, such as cybersecurity fundamentals, enterprise and network security, cloud security, security operations and the AI/cybersecurity nexus.

Resources like this, and those for other entities, can form the basis of a renewed focus on cyber talent development.

Turning Strategic Vision Into Action

Palo Alto Networks views itself as more than a cybersecurity vendor. We see ourselves as an integrated national security partner of the federal government at a moment when defending our digital way of life demands all of us working together. To that end, we are ready to do our part to turn strategic vision into action.

This strategy should be applauded. Let’s roll up our sleeves and get to work.

The post How the National Cyber Strategy Secures Our Digital Way of Life appeared first on Palo Alto Networks Blog.

  •  
❌