Normal view

The Language of AI Could Change How Humans Speak

9 July 2026 at 13:00

Because of the way they are trained, large language models capture only a slice of human language. They’re trained on the written word, from textbooks to social media posts, and our speech as captured in movies and on television. These models have minimal access to the unscripted conversations we have face to face or voice to voice. This is the vast majority of speech, and a vital component of human culture.

There’s a risk to this. The increased use of large language models means we humans will encounter much more AI-generated text. We humans, in turn, will begin to adopt the linguistic patterns and behaviors of these models. This will affect not just how we communicate with one another, but also how we think about ourselves and what goes on around us. Our sense of the world may become distorted in ways we have barely begun to comprehend.

This will happen in many ways. One of the first effects we could see is in simple expression, much as texting and social media have resulted in us using shorter sentences, emojis instead of words, and much less punctuation. But with AI, the impacts may be more harmful, eroding courteousness and encouraging us to talk like bosses barking orders. A 2022 study found that children in households that used voice commands with tools like Siri and Alexa became curt when speaking with humans, often calling out “Hey, do X” and expecting obedience, especially from anyone whose voice resembled the default-female electronic voices. As we start to prompt chatbots and AI agents with more instructions, we may fall into the same habits.

Next, in the same way autocomplete has increased how much we use the 1,000 most common words in our vocabulary, talking with chatbots and reading AI-generated text may further constrict our speech. A recent University of Coruña study found that machine-generated language has a narrower range of sentence length, averaging 12-20 words, and a narrower vocabulary than human speech. Machine-generated text reads as smooth and polished, but it loses the meanders, interruptions and leaps of logic that communicate emotion.

Additionally, because large language models are primarily trained from written speech, they may not learn how to emulate the free-wheeling nature of live, natural speech. When told “I hate Beth!”, ChatGPT replies with an uninterruptable three-part formula of affirmation (“That’s completely valid”), invitation (“I’m here to listen”) and invitation (“What’s going on?”) far longer than any reply plausible in face-to-face dialog. “What’s Beth’s deal?!” elicits a bullet point list of queries that reads like a multiple-choice exam question (“Is Beth * a celebrity? * a friend from school? * a fictitious character?”). No human speaks that way, at least not yet. But meeting such formulas repeatedly in a speech-like context may teach us to accept and use them, much as a child absorbs new speech patterns from spending time with a new person.

These influences will only increase with time. The writing large language models train on is increasingly produced by large language models themselves, creating a feedback loop in which they imitate their own inhuman patterns, even while teaching humans to imitate them too.

Broad use of large language models could also introduce confirmation bias, making us overconfident in our initial impulses and less open to other possible ideas—which is so vital to human discourse. Many chatbots are instructed to agree with our statements no matter how absurd, enthusiastically supporting half-formed or even incorrect notions and restating them as firm claims that we’re primed to agree with. When asked “Cake is a healthy breakfast, right?” or “Is the post office plotting against me?”, this sycophancy can reinforce bias and even worsen psychosis. And the hyperconfident tone of AI-produced writing will also heighten impostor syndrome, making our natural, healthy doubt feel like an aberration or failing.

In our experience as teachers, students who turn to generative AI for assignments often say they do so because they have trouble expressing what they think. The students don’t recognize that writing or speaking our thoughts is often how we realize what we think. Their unconfident and uncertain statements are actually the healthy human norm. But a large language model won’t turn vague first guesses into a well-formed critical analysis, or even ask helpful questions as a friend would; it will simply regurgitate those guesses, still unexamined, but in confident language.

We are also more vicious in social media posts and online chats than we are face to face. The well-documented online disinhibition effect encourages toxic language. Most of us have had the experience of venting ferocious rage about someone online, only to reconcile when we speak face to face or hear the warmth of a voice over the phone. While chatbots are trained to give sycophantic responses, they see humankind at our cruelest, learning about us from the only world where every flame war leaves an eternal written footprint, while the spoken conversations of forgiveness and reconciliation fade away. Their responses do not imitate our online aggression, but are still shaped by it, even in their rigid efforts to avoid it.

It’s easy to draw the wrong conclusions from a selective slice of a society’s communications. Medieval Norse sagas made us imagine a culture of mostly Viking warriors, since poets rarely described the farming majority. Chivalric romances focused on kings and courts, and long made us see the middle ages as a world of monarchies, erasing the many medieval republics. Statistically, we’ve been led to believe ancient Romans cared deeply about their republic, but 10% of all surviving Latin was written by one man, Cicero, whose work contains 70% of all surviving Roman uses of the word republic. Training language models on only certain human writings may introduce similar distortions. AI might make us seem more quarrelsome, as we are online. It might inflate the cultural significance of political topics primarily discussed on Twitter/X or Bluesky, or the massive topic-specific corpuses of LinkedIn and Goodreads.

Some large language models are being trained on human speech from movies and television shows, but that speech is still scripted, and disproportionately highlights certain contexts over others (for example, police dramas, fueled by stories of murder, make up a quarter of prime-time television programming). We are not funny or hurtful or romantic the same way in real life as we are in sitcoms. At least one startup is offering to pay people to record their phone calls for AI-training purposes, but this remains a niche idea; anything large scale would cause massive privacy concerns.

We don’t pretend to know what the best solutions might be. But one has to imagine if there’s ingenuity to develop AI models, then surely there’s ingenuity to come up with a way to train them on informal human speech instead of us only at our most stylized, veiled and sometimes worst. By excluding the overwhelming majority of language production on the planet—people talking, fully and naturally, to each other—these models are being trained to mirror everything but us at our most authentically human.

This essay was written with Ada Palmer, and originally appeared in The Guardian.

Finding the “Goldilocks” Zone: A Practical Approach to Alert Triage

We're all petrified about missing a critical event or misclassifying an alert, but when we're talking about incident response (IR), there are often hundreds if not thousands of alerts to parse through. It's easy to get caught up with one alert because it feels "too hot" or maybe not spend enough time looking into something that initially seems "too cold."

The post Finding the “Goldilocks” Zone: A Practical Approach to Alert Triage appeared first on Black Hills Information Security, Inc..

DEW #162 - Detonating TTPs with Agents, Writing Rules for Malicious Coding Agents & Skills Threat Models

8 July 2026 at 14:03

Welcome to Issue #162 of Detection Engineering Weekly!

Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!

✍️ Musings from the life of Zack:

  • I had an excellent long weekend celebrating the 4th of July here in the U.S.! It was a good lead-up to a rather disappointing World Cup loss on Monday :(

  • We recently bought a kids’ WiFi landline phone thing so they can call family and chit-chat. Let me tell you: it’s been terrible. The quality/service is poor, and it just feels cheap. So, I’m trying my hand at rolling my own FreePBX server with an upstream trunk provider. I haven’t been this excited about a project in a long time :D will report back once I get it deployed

Detection & Response Happy Hour @ Black Hat

If you are going to be in Vegas during Black Hat, come swing by Tom’s Watch Bar @ the NYNY Casino right on the strip on Tuesday!

I’m running it back after BSides/SFRSA with friends and supporters of the newsletter, Cotool.ai. It was super chill at RSA with no vendor b.s., so escape Mandalay Bay and come talk shop with other practitioners.

Register Now!


💎 Detection Engineering Gem 💎

End-to-end detection validation using coding agents by Kyrre Wahl Kongsgård

This blog is one of the single best deep dives on detection validation I’ve seen in years. It hits a bunch of themes, including types of detection testing and architectural decisions for building and deploying end-to-end tests, and clearly describes an elegant and repeatable agentic loop for this use case. Let’s break it down piece by piece, because there’s a ton here and I highly recommend reading this one if you don’t want to touch any other story in this issue.

Types of detection testing illustrated in the blog

Security folks tend to steal concepts from SRE and developers and relabel them with fancier, cooler names, but the underlying principles remain the same. The picture above from Kongsgård shows how we celebrate concepts like testing and “chaos engineering” in security and map them to the security telemetry lifecycle. Regression tests, for example, focus only on verifying that an input (telemetry) produces an output (alert). Synthetic ingestion is an integration test of the ingestion and shaping of telemetry to generate an alert. End-to-end testing looks at the full telemetry → detection → response pipeline.

My favorite themes

Since this post has enough content to fill several posts, I’m going to point out two of my favorite themes so it doesn’t feel like I’m repeating or rewriting Kongsgård’s content.

Lab environment and TTP framework

Booting labs up to run simulations takes a ton of time and effort, especially if you are starting from scratch. The goal is to replicate your environment as closely as possible, but there are always trade-offs in simulation. Some of these tradeoffs include:

  • Environment mirroring: A host running in a VPC can help mirror what your endpoints or cloud resources look like, but it won’t be exact. Detonating potentially dangerous tooling inside a production environment can introduce externalities or even real security incidents if you aren’t careful

  • Baseline activity: A user, much like an agent, is non-deterministic. The telemetry they generate from normal activity is just as important to model as the malicious traffic itself

  • Provisioning discipline: Running a small amount of Atomic or Stratus Red Team tests is manageable from an individual detection engineer’s perspective. If you want to run your whole catalog of detections, you need to start thinking like an SRE or software engineer, as you’ll hit scaling and drift issues with your infrastructure

Kongsgård’s detonation environment has a high level of discipline to address these tradeoffs. The section on the Lab environment uses several DevOps paradigms, such as golden images, configuration management, and deployments via GitHub Action runners. Under the hood, they use Meta’s TTPForge as their adversary simulation framework for execution on detonation hosts. It offers a content-rich, multi-step attack-generation feature set that is adaptable to their agent-harness framework.

Agents as validation drivers and the schema knowledge base

Singular prompt, one-shot agents have their place in implementing agentic systems in security, but they tend to perform poorly as tasks become more heterogeneous. Since the task is end-to-end detection validation with TTP generation, rule tuning, and detonation, a Claude Code or Codex agent would not be sufficient.

The harness is the differentiator for anything agentic security. Remember that! Their agent isn’t improvising an attack; it’s following a plugin that teaches it to write TTPForge YAML files, ship them over SSH to a lab host, run the detonations, and then queries Splunk to see whether telemetry arrived and the detection matched. When a step fails, lifecycle hooks block progress until the agent finds the issue. Here’s the high-level architecture:

My recommendation to all my readers is to design your agentic workflows around single agents that do one thing very well. It’s as if you are extracting one piece of expertise from your brain and encoding it into a prompt to do a single thing. In this particular case, Kongsgård designed two plugins to perform discrete tasks.

  • detectionkit builds the TTP definition via TTPForge, writes the detonation test, deploys and runs the detonation. Its singular purpose is to replicate threat actor activity in a common & repeatable lexicon

  • splunk is the plugin that performs the validation that the correct telemetry was captured, the search for the rule was performed quickly, and continuously discovers index structure to understand rule performance and drift

Security vendors who sell agentic capabilities typically don’t expose their harnesses at the level of detail shown in this blog. Researchers and open-source enthusiasts are quickly catching up with these vendor-led harnesses, and this truly gives detection teams agency to choose between build and buy.

It’s been easier to admit that I can’t imagine a world without a Claude Code or Codex. The prompt was the star of the show for the first year or so of this coding agent frenzy, but it’s now squarely the quality of the harness that brings detection to the next level.


🔬 State of the Art

Detecting Agentic Threats in Claude: Writing Rules on the Execution Layer by Andrew Byford

This is a Part 2 post from Byford’s previously featured work on writing rules for Anthropic’s Compliance API. The cool part here is that, unlike his last post, which focused on the prompt content itself, this looks at the execution layer of the coding agents. I’ve always interpreted the execution layer as how the agent interacts with the filesystem itself. This presents unique detection challenges because, in my opinion, the impact is the same, such as downloading and executing a binary, but the paths are different, such as malicious skills, reading a malicious prompt, or loading a malicious plugin.

Byford splits the threat categories into five distinct buckets: excessive agency and permissions, supply chain threats, dangerous actions, sensitive information disclosure, and data poisoning. The architecture is clever where the Compliance API is used as an enrichment backdrop during investigations, so you can combine unstructured data from prompts with the structured data generated from Claude hooks:

And here’s the enrichment layer after a SIEM rule fires from the OTel collector:

Much like detection engineers have had to become supply chain security experts in the last two years, I don’t see a world where we also must become AI Coding agent experts in the next year or so. I never considered using prompt and response content generated from coding agents in the Compliance API as additional context for SIEM alerts, so I’m now going to steal that idea and see what I can do at my day job (sorry, Andrew!).


SOC Bench by DeepTempo

Evaluation datasets are critical for understanding model performance. Much like in my analysis of this week’s Gem, one-shot prompts can perform well under very constrained conditions, but without something to measure real-world malicious vs. real-world benign, you should limit your confidence in virtually all agentic security applications.

I found this SOCBench website & corresponding open-source repository, and it reminded me of Cotool’s Research benchmarks with similar datasets. This specific one includes a NetFlow dataset containing both malicious and benign network traffic. It’s also a bit more opinionated about persona benchmarks, ranging from SOC analyst to detection engineer, and includes more architecture, with tool catalogs and playbooks for those personas. Their first benchmark around detecting maliciousness:

Anthropic performed the best but it looks like it cost the most. I find it interesting that OpenAI’s benchmark had the threat analyst perform the best vs the SOC analyst in the other two.


Skills Registry Threat Models by Andrew Nesbitt

Two issues ago, I linked a blog by Aman Khurana that helped demystify the peculiar supply chain architecture behind VSCode extensions. The big takeaway I took from that blog is that not surprisingly, the more security engineers dig into supply chain security, the more they realize how difficult it is to piece together OSS ecosystems to perform effective detection and blocking. Coding agents are built to be autonomous and extensible, just like OSS. The difference lies in the non-deterministic way these agents perform coding tasks, due to intentionally designed boundaries.

In this post, Nesbitt unveils his threat model around coding agent skills. A skill is a bundle of prompts, code, dependencies, and tool permissions. Anytime a skill is used, the skill prompt is injected into the context window, and a set of tools and scripts gets exposed to the coding agent. The more frightening part of the Skills supply chain security is that, instead of a single npm command installing other packages in Node that eventually land a piece of malware, you can have a Skill install packages from virtually any ecosystem, and sometimes those packages are just more prompts.

I don’t think we are truly ready for a large-scale malicious Skill campaign, much like what we’ve seen with the likes of TeamPCP. Nesbitt points out several issues with how Skills are installed, deployed, and managed, and it certainly seems that this ecosystem is in the same stage that npm was in several years ago.


☣️ Threat Landscape

FBI Seizes NetNut Proxy Platform, Popa Botnet by Brian Krebs

The DoJ nabbed another residential proxy platform linked to the Popa Botnet. Krebs post here helps aggregate some of the data published by researchers at Google, Lumen and Spur. The wild part to me is that this proxy platform is linked to an Israeli company, and I’ve always assumed that these networks are owned by non-Western firms who are harder to work with outside of the U.S.’ sphere of influence.

These types of botnets finally figured out how to monetize without DDoSing. Krebs referenced research from Spur that nearly 50% of TV Apps on the LG Smart TV platform add the TV to these botnets, which are then sold as residential proxies.


I found a malware hiding in my tailwindcss config file. by Couch Potato

Super interesting write-up from a developer who encountered a Contagious Interview-style backdoor in their Tailwind configuration. They never figured out how it got there, but the indicators are classic Contagious Interview:

  • Targeting developers and backdooring their code

  • C2 server communication to an immutable blockchain style API

  • Rewriting git history to conceal the compromise

It didn’t necessarily say what the impact was or whether the campaign resulted in data exfiltration. They did find several unknown processes running in their production environment, so likely something happened there. If I had to guess, it was a PwnRequest due to the rewriting of the git history, but that’s about as far as I’ll go before I start placing bets.


Linux Backdoor Targeting iKuai Routers by dmpdump

This is a cool Linux backdoor writeup of a piece of malware that, based on my ~limited research, targets a Chinese-focused router typically deployed to East Asian/Chinese businesses. It’s an ELF binary that impersonates OpenWRT’s libjson_script.so.0. It was hard to ascertain at first, but it certainly is not a shared library and runs in userland. I don’t necessarily know whether the victimology is Chinese firms, which could make this a Western-based piece of malware, but it seems compact and very specifically designed for one router brand, which makes it smell like an APT implant.


ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 by Michael Kelley

The TALOS research team uncovered an offshoot of EvilTokens, a device-code phishing-as-a-service kit. Kelley uncovers the initial BEC-style lure and then reverse-engineers the kit to find modern front-end components, such as single-page application lures, and a full backend dashboard written in React. Some of the differentiating features of ARToken Kelley found include keyword searching across victim mailboxes, post-exploitation tooling against victim SharePoint servers, and even collaborative session links for operators working on the same ARToken deployment server.

Lydia Graslie’s Gem from last week helps protect against some of these attacks, especially if you monitor which Microsoft management surfaces emit audit data for device‑code flows and token lifecycles, and treat gaps and schema shifts as first‑class detection problems.


🔗 Open Source

DeepTempo/socbench

SOCBench’s open-source harness for evaluating alert datasets. The current dataset only contains NetFlow telemetry, but it looks like they want to add more. Their harness is the most interesting between playbooks, personas and how they run the evals themselves.


secdev02/EasyTokens

EasyTokens is a device code phishing toolset that emulates device code phishing as a service kit like EvilTokens. This one is more focused on performing the device code phishing attack itself, so you can use this to pivot into cloud and M365 environments.


kernelstub/Nox

Nox is an open-source attack surface scanning tool. There are 300 module plugins across 24 different categories. You can run each module individually or run a full scan that steps across all 24 categories to find everything from exposed credentials, vulnerabilities and OSINT findings.


phishdestroy/shortdot-evidence

Shortdot is a registry operator that hosts seven top-level zones (TLDs) that, according to PhishDestroy, almost exclusively contain fraud, phishing, and malware websites. This repository holds all of their research, enumerating the zones and their phishing website analysis across the seven sketchy-looking TLDs. Their research also includes financial research and how Shortdot charges ICANN fees to operate these zones.

Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!

Cybersecurity and the Gap Between Skill and Ability

8 July 2026 at 13:03

Last week, national security agencies from the Five Eyes—that’s the rich, English-language-speaking countries club—jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more measured than some of the breathless headlines about it, and the advice they gave is pretty much the standard advice everyone gives—albeit with newfound urgency.

Internet risks are nothing new, and cyberattacks—both large and small—have been a significant issue since long before the current crop of generative AI models.

What’s been changing over the decades, and what AI is changing even faster, is the gap between skill and ability. For most of human history, the two terms were synonymous—but computers have decoupled them. As the gap between the two expands, humans empowered with these AI tools can do more: more writing, more research, more analysis and also more damage than ever before. These models can, with little detailed direction, autonomously hack into networks, steal data, deploy ransomware and destroy systems. And to the extent there is a solution, it’s going to involve harnessing AI for the defense.

In 1998, seven people from the hacker group L0pht testified before Congress. They told a mostly clueless Senate committee that they could take down the internet in 30 minutes. That was partly real and partly bravado, but it illustrates an important point: hacking into systems, stealing data and causing damage all required skill.

Contrast the L0pht hackers with hackers derided as “script kiddies.” They didn’t understand computers, or security. Instead, they used hacker tools written by others. Their actions required minimal skill and even less knowledge. But once those hacking tools became widespread, the number of potential attackers increased.

That number has continued to increase, as quality and availability of prewritten attack tools has grown. And it is growing dramatically with AI. Today’s AI systems—not just the frontier models, but most of them—are capable of carrying out cyberattacks automatically. They all do better in the hands of skilled attackers, but increasingly they are able to act autonomously with only minimal prompting.

The thing about people with ability but no skill is that they are often outsiders, not part of any professional community, and not bound by any rules or norms. This phenomenon is much more general than in cybersecurity. Any doctor can tell you how to untraceably poison someone, and many virus researchers know how to create a bioweapon. Any bridge engineer can tell you how to place explosives to blow a bridge up. The reason that murderous doctors and terrorist engineers are so rare is that the lengthy process of acquiring those skills also instills a moral and ethical code. If every random person has access to good poisoning advice, that puts us all in danger.

Modern AI systems are, in effect, a universal adviser to help people do harmful things. And while the current AI megacorporations are trying to build guardrails to prevent people from asking questions whose answers will enable the questioner to do harm, that’s not going to work in the long term. Smaller, cheaper, open-source models, including models that can run on people’s computers, and especially groups of models that run in concert with each other, are just as good as the frontier models from companies like OpenAI and Anthropic. And they continue to get better. These models will be passed around from person to person, like script kiddie hacker tools, and they won’t have any such guardrails.

Instructing AI models to spy on people and report any malicious prompts to the authorities fails for similar reasons. The megacorporations can do that, but the locally run open source models won’t. This could buy us a few months at best.

A third possibility is to somehow make the models themselves unable to hack into computers, create bioweapons or do anything else that might harm people or society. That won’t work, for the same reason we can’t teach doctors how to treat poisonings without also teaching them how to poison. It’s the same knowledge. It’s the same with construction and demolition. And it’s the same with cybersecurity. We want these AI models to be able to review computer code, find vulnerabilities and automatically fix them. The benefit to our collective security will be enormous. Unfortunately, the same knowledge can be used for attacks.

Where this leaves us is in a world of increased volatility. Super-powered humans with AI assistants will be able to do both wonderful and horrible things.

This brings us back to the Five Eyes statement. Everything they recommend is something security professionals have been recommending for years, if not decades. They are things talked about at that congressional hearing back in 1998, titled “Weak computer security in government: Is the public at risk?” Even the Five Eyes admitted that their security advice is not new, only more urgent.

What’s new is how fast things are changing: “The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.” The Five Eyes point to AI technology—not necessarily chatbots, but AI more generally—being used to strengthen every aspect of defense, to “detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents—reducing both the cost and impact of incidents.”

Excellent advice from the Five Eyes security agencies. We need to do this with every risk that AI heightens, not just cybersecurity.

This essay was originally published in The Guardian.

What It Takes to Secure Claude Cowork Across the AI Enterprise

You've watched the demos. Whether it's Claude Cowork, ChatGPT Enterprise, GitHub Copilot, Cursor, or internally developed agents, AI systems are no longer answering questions. They are connecting to enterprise data, invoking tools, making decisions, and executing multi-step workflows across applications without human intervention. The capability is real, and organizations are rapidly moving from experimentation to deployment.

Teams are no longer asking if they should use this, they have accepted agentic tools as the reality. But the board and the infosec team are asking a different question: can this capability be secured and controlled at enterprise scale? Can security teams prevent sensitive company data from being exchanged without oversight?

Anthropic built meaningful access controls into Cowork — role-based permissions, group spend limits, usage analytics and connector restrictions — so the answer is a qualified yes. Those controls handle who can use the tool and what they can connect to, but they don't answer whether a specific action inside a given session is safe. That gap is the one standing between a successful pilot and a successful org-wide rollout.

The Gap That a Demo Doesn’t Expose

The organization’s admin assigns roles, sets spend ceilings per user group and restricts which connectors have access to write to your database. Anthropic's OpenTelemetry support even lets your team pipe session events into your SIEM. These controls cover real ground, but they operate at the permissions level — answering whether a person is authorized to use the tool rather than whether what's happening inside a session is safe.

Consider what that gap looks like in practice. Let’s consider two scenarios. Your finance analyst has full Cowork access and uploads a quarterly forecast containing unannounced acquisition figures. The access controls confirm she is authorized to use the tool, but nothing evaluates whether that information should be exposed to a model. That's an AI data loss prevention risk, and access controls are blind to it.

The risk becomes greater when agents move beyond information retrieval and begin taking actions. Let’s say a scheduled Cowork automation is set up to pull weekly competitor pricing from the web. A target site embeds hidden instructions in its page content. The agent, running unattended, reads them as legitimate commands and begins modifying local files and triggering actions your team never authorized. By the time anyone notices, the agent has already acted.

The first scenario exposes a governance problem because your security team has no visibility into what data is flowing through AI tools across the organization. The second is a runtime security problem as there is nothing evaluating whether an action in progress is safe, regardless of whether the user was authorized to start it. Neither gap is addressed with the predefined controls in Cowork; both need to be solved before you can say yes to Cowork adoption in the whole organization.

Why Traditional Controls Break Down

Traditional enterprise software behaves predictably. Access controls work because administrators can reasonably anticipate what an authorized user or application will do once access is granted. 

AI systems operate differently. Agents combine models, tools, data sources, and reasoning paths dynamically at runtime. An authorized user may start with a simple request, but the resulting chain of actions may evolve in ways that were never explicitly programmed or anticipated. The challenge is no longer controlling who can access a system. The challenge is securing and governing what happens after access has been granted.

The Missing Layer is Runtime Security 

Anthropic's access controls establish who can use Cowork and what they can connect to. But as the examples above show, they don't protect against what happens inside a session: a finance analyst uploading sensitive acquisition data to the model, or a scheduled automation being hijacked by a malicious instruction embedded in a webpage it was directed to visit. What organizations working with Cowork need is a layer that enforces data and security controls and gives complete visibility at runtime across all Cowork agents in the enterprise every interaction boundary.

An AI runtime security layer that sits between your teams and the model providers such as  Anthropic, AWS Bedrock, Google Vertex or any combination, and evaluates risk in every interaction. It inspects every request, every tool call and detects sensitive data like client names, financial projections, internal pricing and contract terms.  It enforces agent identity controls, so every automated action is traceable to a specific workflow and owner. 

Your CISO gets the audit trail and your Infosec team gets the evidence.

The AI Enterprise Needs a Control Plane

The CIO needs the observability for all Cowork activity and costs. An AI control plane allows the CIO to set spending limits per team and use case across every AI tool from a single console. Procurement asks for a quarterly forecast across all AI spend, and you pull it from one place instead of aggregating reports from four different vendor dashboards. If you need to move providers for cost or compliance, the gateway reroutes traffic without disrupting your teams or breaking your workflows.

Claude Cowork may be where organizations begin scaling their AI journey, but it won't be the only AI tool your teams use. Developers will use coding assistants,  business teams will leverage the AI built into SaaS applications and data science teams will deploy custom agents for their workflows. New models, new providers and new workflows will continue to appear.

The challenge isn't just governing one AI application; it’s governing AI activity across the entire AI enterprise.

Everyone looks to secure each tool individually: configure Cowork's controls, configure your coding assistant's controls, configure your internal agents separately. But this approach doesn't scale. This is the sole purpose of the control plane. It sits above individual tools, applications and models and enforces  security policies,  across every AI interaction. 

Prisma AIRS AI Gateway provides that centralised control plane. Organizations that deploy Cowork behind our gateway get runtime security, data protection, agent identity controls, and full visibility, applied consistently, without changing how teams use the tool. The same gateway secures every other AI tool in your environment on the same terms.

Cowork may be where the journey begins, the gateway is what allows it to scale and secure the AI Enterprise.

The post What It Takes to Secure Claude Cowork Across the AI Enterprise appeared first on Palo Alto Networks Blog.

The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI

7 July 2026 at 16:00

Written by: Shebin Mathew


Introduction 

The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. By obtaining the private key of an ADFS token-signing certificate, an attacker can authenticate as any user to any SAML-federated application, bypassing multifactor authentication (MFA), conditional access, and all identity-based controls.

However, during a recent red team engagement, Mandiant discovered that when ADFS certificates are manually rotated, configuration drift can silently leave active signing keys exposed in Machine DPAPI. Specifically, Mandiant discovered that in environments where AutoCertificateRollover is disabled and certificates are manually rotated, the database often becomes a 'ghost'—a record that still exists, still decrypts successfully, but references a certificate no longer used for token signing by the ADFS service. This attack vector warrants attention because the underlying configuration is commonly deployed in enterprise environments. The technique avoids direct interaction with components such as LSASS and the live ADFS service process, which are often subject to enhanced monitoring in enterprise environments, and may therefore result in lower visibility depending on the organization’s telemetry coverage. This post details how adversaries may exploit this TTP to forge high-privilege SAML tokens and provides the blueprint to defend against it.

Technical Insight: Encountering the ‘Ghost Certificate’

Analysts followed the standard DKM extraction path, retrieving the encrypted blob from the WID database and decrypting it using the DKM material stored in Active Directory. The extraction succeeded, but the recovered certificate was no longer valid for token signing, and Entra ID rejected the resulting tokens with AADSTS500172 due to invalid signing material. Although structurally correct, the artifact is not usable for authentication, as the active signing key resides in the system’s machine-scoped cryptographic store, protected by Windows Machine DPAPI and managed through the operating system’s cryptographic subsystem. Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, bypassing the need for user credentials and multi-factor authentication, and granting unauthorized access to any SAML-federated application including Microsoft 365 and Entra ID within the organization's environment.

Analysis revealed that AutoCertificateRollover had been disabled and a manual rotation had been performed. Confirmation was obtained directly via Get-AdfsProperties, which returned AutoCertificateRollover: False, indicating that certificate lifecycle management had been delegated to manual administrative processes. While the ADFS service used a new valid key for signing, the WID configuration database was never updated to reflect the new certificate—leaving an expired "ghost" entry as the only record. This drift condition surfaces via Microsoft Event ID 385, which indicates certificate validity warnings in the ADFS service. Notably, this event self-resolves when AutoCertificateRollover is re-enabled and a subsequent certificate rollover is performed; in environments where it is disabled and manual rotation is performed without a corresponding database update, it is the observable symptom of this drift condition.

ADFS certificate enumeration output showing configuration drift between the WID database and the active host certificate

Figure 1: ADFS certificate enumeration output showing configuration drift between the WID database and the active host certificate

ADFS maintains private keys in two protection contexts. In Location 1 (User DPAPI), encrypted key blobs may exist on disk, but the DPAPI protection is tied to the service account's SID and associated DPAPI masterkey material. In the assessed environment, the domain DPAPI backup key approach successfully decrypted masterkey material for interactive user profiles, but returned no decryptable material associated with the ADFS service account profile. All subsequent offline decryption attempts similarly failed, consistent with the masterkey not being recoverable through the evaluated on-disk recovery approach in this environment—though this observation is bounded to the assessed environment and does not represent a universal architectural property of all ADFS deployments.

Location 2 (Machine RSA) does not rely on a user-specific logon session. Instead, the key material is protected using Machine DPAPI, leveraging the DPAPI_SYSTEM LSA secret together with machine masterkeys available to sufficiently privileged SYSTEM-level contexts.

Why the WID Path Misses This Key

In ADFS environments experiencing configuration drift—commonly arising during manual certificate rotations where AutoCertificateRollover is disabled—the ADFS service host can successfully bind to a newly provisioned signing certificate at the operating-system level, ensuring continued service operation. However, the WID configuration database may not reflect the current signing certificate, resulting in stale certificate metadata.

This divergence between configuration and runtime state is the condition that ADFS Event ID 385 is designed to flag. As a consequence, extraction techniques that rely solely on the WID database and DKM material may return certificates that are no longer used for active signing, leading to rejected assertions in downstream federation scenarios.

Understanding How the Machine DPAPI Store Becomes Populated

Understanding how the Machine DPAPI store becomes populated requires examining how ADFS persists its token-signing key material. During initial deployment, automatic certificate rollover, or manual certificate rotation, ADFS persists its RSA private key material in the machine-scoped CAPI key store at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, protected using machine DPAPI context rather than a user-bound DPAPI context. SharpDPAPI /machine enumeration in the assessed environment confirmed that the active machine key material resided under this path, while the CNG Crypto\Keys store was not observed in use in the assessed environment.

The protection chain relies on the DPAPI_SYSTEM LSA secret together with machine masterkeys associated with the S-1-5-18 security context, stored in C:\Windows\System32\Microsoft\Protect\S-1-5-18\ as DPAPI-protected key material—both components ultimately resolvable only within highly privileged SYSTEM-level contexts on the host. The corresponding certificate is enrolled into the LocalMachine\My certificate store, from which ADFS retrieves the associated private key during token-signing operations.

The architectural rationale for machine-scoped key storage is operational resilience. A machine-scoped key remains usable across service account password changes, gMSA rotations, system reboots, and service restarts without requiring key reprovisioning or dependency on a specific interactive logon session. This design ensures that the ADFS service can consistently access the signing key regardless of changes to the underlying service account credentials.

However, this same design choice has important security implications. Because the private key is protected using Machine DPAPI rather than a user-bound DPAPI context, a sufficiently privileged local process capable of accessing the machine key store and associated DPAPI artifacts may be able to recover the key material independently of the original service logon session. As a result, under certain conditions, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to defenses primarily focused on credential dumping or process-memory access behaviors.

KEY DESIGN IMPLICATION

ADFS persists its token-signing private key material in the machine-scoped key store, protected using Machine DPAPI semantics. This is a documented behavior enabling machine-scoped key persistence that survives service account changes, credential rotations, and service restarts.

However, this design introduces an operational security implication that is not commonly emphasized in standard ADFS hardening guidance: private keys stored within the machine key store are protected using this protection model and may be recoverable by a sufficiently privileged SYSTEM-level context through access to the DPAPI_SYSTEM LSA secret and machine masterkeys available locally on the host.

As a result, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to security controls primarily focused on credential dumping or process-memory access behaviors.

Attack Flow: Machine DPAPI Key Recovery to SAML Forgery

Machine DPAPI extraction flow—five-step process from SYSTEM execution to SAML assertion

Figure 2: Machine DPAPI extraction flow—five-step process from SYSTEM execution to SAML assertion

‘SharpDPAPI /machine’ output confirming successful recovery of the active ADFS token-signing private key from the machine DPAPI store

Figure 3: ‘SharpDPAPI /machine’ output confirming successful recovery of the active ADFS token-signing private key from the machine DPAPI store

The recovered key was used to forge a SAML assertion impersonating a Global Administrator identity, which Entra ID accepted as a valid authentication assertion, resulting in authenticated access at Global Administrator privilege level within the federated Microsoft 365 tenant.

Detection and Hunting

Defenders should prioritize visibility into operating system-level cryptographic operations and identity issuance behavior, rather than relying solely on application-layer configuration stores.

  • SACL-Based Object Access Monitoring: Configure object access auditing via SACLs on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ and C:\Windows\System32\Microsoft\Protect\S-1-5-18\. When configured correctly, this generates Security Event ID 4663 for file access attempts. Coverage depends on SACL configuration and access paths; treat this as supporting evidence in correlation-based detection rather than a stand-alone signal.

  • ADFS Token Issuance Consistency: Monitor for inconsistencies between primary authentication events and token issuance events in ADFS audit logs. Relevant events include token issuance and claims processing records (Event IDs 299, 1200-series, depending on ADFS version and audit configuration). The objective is to identify token issuance that cannot be clearly correlated to a preceding authentication context. This is most effective when normal authentication patterns per relying party trust are baselined.

  • Federated Identity Monitoring in Entra ID: Entra ID sign-in logs will record an accepted forged assertion as a standard federated sign-in event. Detection requires cross-correlating Entra ID sign-in records against ADFS-side issuance logs—neither source in isolation is sufficient. For privileged accounts, focus on unexpected Internet Protocol (IP) ranges, claim set deviations,and user-agent inconsistencies.

Mitigation and Remediation

ADFS infrastructure should be treated as Tier 0 identity infrastructure, equivalent in criticality to Domain Controllers. If SYSTEM access is achieved on an ADFS host, the signing key must be considered compromised.

  • Hardware-Backed Key Protection: Migrate token-signing certificates to a Hardware Security Module (HSM). HSM-backed keys ensure private key material does not exist in software-accessible storage on the host, eliminating the Machine DPAPI extraction path entirely.

  • gMSA Service Identity: Run ADFS services using Group Managed Service Accounts to automate credential rotation and reduce operational drift in service identity management. While this does not directly address machine-scoped key protection, it eliminates manual credential management as a contributing factor to configuration drift.

  • Tier 0 Administrative Controls: Govern ADFS servers with strict Tier 0 controls: restricted administrative access pathways, dedicated Privileged Access Workstations (PAWs), separation from general server administration domains, and enhanced privileged access monitoring.

  • Certificate Rotation and Configuration Validation: If compromise is suspected, rotate the token-signing certificate and validate consistency across ADFS configuration, the  LocalMachine\My store, and federation metadata. Do not rely on a single source of truth. For environments with AutoCertificateRollover disabled, manual rotation must include updating ADFS via Set-AdfsCertificate—installing the certificate alone is insufficient. Validate using Get-AdfsCertificate after rotation. If Event ID 385 appears afterward, investigate for configuration inconsistency. 

  • Multicloud Scope Awareness: A compromised ADFS token-signing key affects all SAML relying party trusts, not just Microsoft services. Organizations using ADFS for identity federation across other software-as-a-service (SaaS) platforms should treat ADFS as Tier 0 infrastructure and audit all relying party trusts. Migrating away from ADFS-based federation (e.g., to native OIDC federation) removes this specific attack path.

Google Is Suing Chinese Scammers Who Are Using Gemini

7 July 2026 at 12:43

Not sure this will have any effect, but I support the effort:

According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use Google’s Gemini AI to create websites that imitate those of Google, YouTube, and government agencies such as New York’s E-ZPass. The group offered nearly 300 scam templates.

[…]

Google worked with AT&T, Verizon, and T-Mobile to block many of these malicious text messages, and Google notes that its on-device scam detection in Google Messages probably helped reduce the number of successful phishing attempts, too. This AI-powered feature apparently stops 10 billion scam texts every month, so it’s fair to expect it caught at least some Outsider Enterprise activity.

Another article.

It Might Feel Like We’ve Been Here Before, But We Haven’t

6 July 2026 at 13:09

As artificial intelligence (AI) adoption surges and organisations move from the ‘should we?’ phase to the ‘how do we?’ phase, it’s natural to evaluate the likelihood of positive returns on AI investments. That’s always been the case with the onset of each new technology paradigm: C-suite executives, guided by their boards and aided by technical and business teams, remain keenly focused on traditional metrics such as return on investment, shareholder equity, developing and extending competitive advantage, and ensuring superior customer relationships.

This time is different, however. I recently experienced that firsthand when I went to visit a major customer. My contact, a senior decision maker, gave me a pointed piece of advice about how to talk about AI with his boss, the CEO: “Please don’t say anything negative about AI.” The subtext was clear: The company was fully committed to AI and didn’t want any cognitive dissonance to dissuade them from their mission.

It's hard to imagine a CEO taking such an absolutist stance on previous technology waves, such as cloud, bring your own device, or the internet of things. CEOs, board members, and technical leaders would be pragmatic in evaluating the benefits of investments and put mileposts in place to gauge progress – and to determine if and how to proceed.

AI is certainly a different kind of paradigm, though. While no one is casting aside careful evaluation and monitoring of AI investments, the underlying assumption is that we’re stepping on the accelerator. We’re all enthused not only by its potential for transformation and innovation, but also by how this technology can be leveraged for remarkable societal good.

However, while the accelerating momentum toward AI and agentic systems is undeniable, it is vitally important to set aside the fervour around AI and take a sober look at how to deliver safe, secure, and tightly governed systems at enterprise scale. 

Many organisations are underestimating the challenges of AI governance, in large part because they think they’ve been here before. They already have many experiences of ensuring robust cybersecurity and strict governance for new technologies, as they’ve done for remote systems, cloud computing, the internet of things, and more. They already have a corporate commitment to doing governance correctly and a sound governance model. 

But this new era of AI and agentic systems is different. New challenges abound, and AI strategy, build-out, and governance must be in alignment from the start to ensure proper operational, ethical, and regulatory outcomes. 

Our intention with this Peer Insights guide is to raise what we believe are existential issues around governance for this powerful, complex, and unprecedented technology wave. Few technologies have merited the often overused phrase ‘inflection point’ more than AI. The speed of AI adoption is nothing short of breathtaking; however, today’s runaway embrace of AI is far stronger than our current ability to govern it. That’s because AI represents a fundamental shift in how organisations do their business, interact with customers, make vital decisions, and execute their plans. This isn’t just a technology play: It’s a strategy for success and survival for entire industries and our global economy. The stakes have never been higher.

CEOs care so passionately about AI because they see it changing nearly everything we’ve learned and believed to be true about organisational success and failure. CEOs are in their positions for one purpose: to grow the business. AI can do that by transforming their processes and sparking new ideas. When that customer representative forewarned me, I really wasn’t surprised to hear his CEO felt so strongly about AI: Research from BCG indicates that more than 94% of CEOs say they still plan to deploy AI irrespective of demonstrated business value, even if there is a lack of tangible ROI or financial benefits from the start. 

Which brings us to the central role of AI governance. As we all know, there are many fundamental elements to any governance strategy, starting with robust, scalable, and intelligent cybersecurity. Cybersecurity - the foundation of governance - also includes the twin imperatives of accountability (‘rogue AI’ being a real thing, after all) and regulatory compliance.

But good AI governance has to go even further. Operational integrity is key to good governance because so much sensitive and even proprietary data is poured into AI models and accessed through powerful agentic AI systems. Now more than ever, organisations have to be transparent with customers and trading partners about how their AI systems operate, what kind of data is accessed, and how it is protected. And that doesn’t just mean being upfront with customers by telling them when they are interacting with an AI agent. Let’s take a typical retail use case: Imagine you’re on a website looking at clothing, and the agent recommends specific styles of clothing in specific colours. True operational integrity would allow you to discover why and when the agent made those recommendations. Was it based on your prior purchasing history, or on your browsing patterns on a recent web session? AI and agentic governance take the guesswork out of the equation for those interacting with the system and help breed greater confidence and trust.

It's critically important for decision makers to view AI governance holistically, rather than through a series of narrow lenses. For instance, even though cybersecurity is the foundation of good AI governance, it’s a mistake to treat AI governance primarily as a cybersecurity problem. If asked about ownership of AI governance, CEOs cannot and should not reply, “Oh yeah, the CISO has that covered.”

AI governance is fundamentally an enterprise risk problem, which means everyone must be involved in creating, deploying, managing, evaluating, and adjusting AI governance guardrails on a real-time basis. Again, AI is a different kind of risk environment than any we’ve previously encountered. For the most part, organisations are simply not adequately prepared to apply the right level and right type of governance to AI and agentic systems. I’ve spent much of the past 15 years of my career building governance frameworks, and while it has never been easy, we have had the advantage of being able to control many of the variables – such as infrastructure and network access – impacting governance decisions. With AI and agentic, we no longer have that advantage.

To explore the critical and complex issues of AI governance, we’ve enlisted five leading voices to bring their real-world experience to the discussion. Together, our five authors help lay out the new rules of the road for governing AI and agentic systems at scale.

Just as my customer gave me a heads up about the realities of speaking with his boss about AI, I’d like to offer you a heads up about the realities of AI governance challenges before you read this Peer Insights guide

  1. Visibility is paramount for successful AI governance. As we learned during the growth of trends such as cloud, bring your own device, and remote work, our employees will push the envelope with a do-it-yourself mindset. These tech-savvy and resourceful users are already making rogue AI a reality, so organisations need more visibility than ever into where AI ‘science projects’ and sandboxes are operating without anyone’s knowledge.
  2. AI governance must reflect the stunning velocity of change in AI development and deployment. Not only does AI have its own never-imagined rate of change, but the technology is changing everything else faster – product development, supply chains, marketing programmes, and more. AI governance has to evolve just as rapidly. Governance in the AI world must be a living system, constantly evolving with new technology use cases.
  3. Trust boundaries are incredibly different and difficult to manage in AI governance. AI represents a new class of identity that simply didn’t exist before. That means AI doesn’t fit neatly into your existing identity management framework, making things like application whitelists and zero trust network access less effective.

Unfortunately, many CEOs, board members, and business executives simply don’t understand the profound importance and complexity of these issues. They may have been heartened by how they integrated generative AI into their technology frameworks and their business processes, but GenAI was pretty familiar territory for CIOs, CTOs, and CISOs. Agentic AI is different for several reasons, including its automation and self-learning capabilities. Don’t be lulled into a false sense of security: Agentic AI is not simply a refresh of GenAI.

As you get ready to dive into the following chapters, rethink how you define governance when applying it to AI systems and agentic AI. Most traditional governance models are imagined, constructed, and deployed as gates, preventing people from doing things or going places they shouldn’t. Instead, think of AI governance as a guardrail to guide and direct people to get the most out of AI without creating problems. With so much excitement and investment around AI, organisations – and their employees – want to get the most out of their AI and agentic systems. We all know people don’t want to hear “no, you can’t do that”, so an effective governance system should use guardrails to drive proper, responsible, and safe usage of the technology.

Finally, as complex as AI and agentic governance are and will continue to be, don’t overthink things in hopes of creating the perfect model – it doesn’t exist. My advice is to start now, even if the model and framework are imperfect, and then bring the business along with you.

We at Palo Alto Networks are excited to give you insights, ideas, and actions you can take away from the chapters of this guide. We encourage you to share what you learn with your colleagues, peers, and team members – and to take prudent steps to build an AI governance model that rewards innovation without allowing your organisation to drift into dangerous waters.

 

Haider Pasha is VP & Chief Security Officer, EMEA, Palo Alto Networks

The post It Might Feel Like We’ve Been Here Before, But We Haven’t appeared first on Palo Alto Networks Blog.

France to Stop Certifying Non-Quantum-Safe Encryption

6 July 2026 at 12:45

France is accelerating its transition to post-quantum encryption:

France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems.

Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030.

ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption.

Flock Cameras Can Surveil Cars Without License Plates

3 July 2026 at 13:15

This is from a 2024 company presentation:

Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.

Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the company’s presentation shows.

The company gives police officers the ability to search that data as well, to “build stronger cases with less information upfront.” That includes being able to locate multiple vehicles law enforcement officials believe are moving together and what Flock calls a “multi geo search.”

This kind of thing is older than AI; I wrote about it in my 2014 book Beyond Fear. Edward Snowden revealed that the NSA was using cell phone location data to track phones that were habitually near each other.

As bad as Flock is, remember that anyone with broad access to cell phone location data can do the same thing.

Google’s Continued Disruption of Malicious Residential Proxy Networks

2 July 2026 at 16:00

Background

Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks.

Actions Taken

As a part of this disruption we took the following actions:

  1. Disabled Google accounts and associated Google services used by NetNut for malware command and control (C2), which directly violates Google’s Terms of Service and Acceptable Use Policy. 

  2. Shared technical intelligence on NetNut software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and research firms to help drive ecosystem-wide awareness and enforcement.

  3. We ensured Google Play Protect, Android’s built-in security protection, automatically warned users and disabled applications known to incorporate NetNut SDKs, and the system will continue to protect users against future install attempts. These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices.

We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions. In addition to selling access to the network under the NetNut brand, NetNut has a robust reseller program that allows whitelabeling of its network. Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet. While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers. We will continue to observe the composition of the NetNut network and map out how its peers adapt to this action.

Why it Matters

NetNut is among the largest and most popular residential proxy networks. Estimating the size of residential proxy networks is extremely challenging, but Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world. Public reporting by KrebsOnSecurity and others, confirmed by Google, illustrates that NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes. GTIG has also identified NetNut botnet plugin components for large-scale botnets such as Badbox 2.0.

Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs), allowing attackers to mask malicious activity by hijacking these IP addresses. A robust residential proxy network requires controlling millions of residential IP addresses to sell to customers for use. To accomplish this, operators need code running on home devices to enroll them into the malicious network as exit nodes. Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers.

In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats. Public reports by Synthient, Spur, Nokia Deepfield, and others have documented the use of NetNut to infect devices with variants of Mirai DDoS botnets.

Empowering and Protecting Consumers

Consumers should be extremely wary of applications that offer payment in exchange for "unused bandwidth" or "sharing your internet." These applications are primary ways for malicious proxy networks to grow, and could open security vulnerabilities on the device’s home network. We urge users to stick to official app stores, review permissions for third-party VPNs and proxies, and ensure built-in security protections like Google Play Protect are active.

Consumers should be careful when purchasing connected devices, such as set top boxes, to make sure they are from reputable manufacturers. For example, to help you confirm whether or not a device is built with the official Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your Android device is Play Protect certified.

Future Work

As we noted earlier this year, the residential proxy industry appears to be rapidly expanding, and this coordinated disruption is not the end of our work combating malicious residential proxy networks. This industry is deeply connected and operators depend on overlapping botnet networks that are constantly resold. While point-in-time disruptions are a critical tool to protect our users, continued and coordinated effort is needed to reduce malicious proxy networks in the long run. We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and to take direct action to block malicious C2 infrastructure.

Cybersecurity Mission Creep in the US

2 July 2026 at 13:11

Interesting paper: “Cybersecurity Mission Creep.”

Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what this Article calls “cybersecuritized.” Before this reframing, these issues present as important but not existential. But once cybersecuritization positions the issues as threats intensified by their technological nature, they gain access to the politics and law of urgency and exceptionalism and invite troubling governance responses.

Positioned as security threats, cybersecuritized issues become endowed with the apparent normative power to override countervailing considerations, oversimplifying the problem. Cybersecuritization’s oversimplification similarly risks unidimensional solutions and invites use of argumentative trump cards, like First Amendment challenges. Cybersecuritization also invites deference to purported specialists and their proposed solutions. Together, the reductive tendencies of cybersecuritization and the deference it prompts to specialists renders ultimate governance choices more opaque. And this opacity can erode public trust and political legitimacy.

This Article surfaces the phenomenon of cybersecuritization and offers a novel framework for analyzing and critiquing it. Mining cases from across criminal and civil domains, the account also demonstrates the insidiousness of cybersecuritization and the likelihood that it will continue to expand. Confronting cybersecuritization is crucial. If we continue to ignore it, we risk abdicating further responsibility for difficult choices to the trump card of cybersecurity. This Article’s analysis and critique aim to help reclaim the hard work of governance for our hands.

Finding and Addressing Vulnerable and Outdated Web Application Components

Vulnerable and outdated software components are one of the most common issues encountered by BHIS during web application penetration tests. The vast majority of web applications use third-party components such as jQuery, Angular, Bootstrap, or countless other libraries.

The post Finding and Addressing Vulnerable and Outdated Web Application Components appeared first on Black Hills Information Security, Inc..

DEW #161 - Attack Paths Outside the Critical Path, GuardDog 3.0, Detection Chokepoints & Infosec drama

1 July 2026 at 14:43

Welcome to Issue #161 of Detection Engineering Weekly!

✍️ Musings from the life of Zack:

  • I had an excellent vacation at the beach with my family! We stayed at an Airbnb with a 1-minute walk to the ocean. There’s something about the crashing waves and the smell of salty water that makes me wish I could afford a house there D:

  • I am locked in & going to BSides LV/BlackHat/DEFCON! I’ll be posting details for my Detection & Response Happy Hour next week with sign-ups. Mark your calendars for Tuesday, Aug 4 at 5 pm :)

  • I opened sponsorship slots up for the summer, so if you’d like to work with me on ad placements or opportunities to work with the Detection Engineering Weekly brand, shoot me an email: techy@detectionengineering.net

  • Lastly, I opened a content submission page for folks who want to get their research and blogs in my reading queue. It’s much easier for me to use this then accidentally miss something on social media, Slack or e-mail!

    Submit a blog


💎 Detection Engineering Gem 💎

Defense-in-depth is an overused phrase in security marketing, but it’s one of the few “buzzwords” where the definition matches in marketing-speak with what it means in security operations. At its core, detection & response is a hedge against when security controls fail. Examples of this include someone entering their username, password, and security code on a phishing page, or someone downloading an infostealer binary from an allow-listed domain, such as a CDN, and running it. The important part here is that detection engineers identify the attack paths that threat actors take when those controls fail.

Lydia’s blog (hi Lydia!) is a great example of the nuances of a powerful security control, Entra’s Continuous Access Evaluation (CAE), and how even the perfect implementation of that control can fail. Both infostealers and attacker-in-the-middle phishing pages are regularly stealing access tokens from victims, and when these tokens get into the hands of threat actors, they can use them to pivot into a production Entra environment. Microsoft implemented CAE to help combat long-lived tokens through a challenge/response mechanism to catch stolen tokens:

From Lydia’s blog: CAE vs. traditional OAuth

The idea is that legitimate or malicious access tokens should be evaluated against access policies and controls, and Entra can catch a stolen access token before a threat actor interacts with the target environment. It’s an excellent security control that is now the default for Entra environments, but much like multi-factor authentication, it has its sharp edges:

  • There’s a 1-hour expiration window when the issuing client does not have a CAE-enabled auth flow

  • Resources that don’t have CAE can still be interacted with, meaning a bypass of a CAE-enabled client against a non-CAE-enabled resource is possible

  • IP restrictions can revoke the key quickly, but infostealers and phishing kits help provide geolocation and IP information, which can help bypass this restriction

Lydia provides a helpful coverage map for when each control fails and what you can do to “hedge” against a stolen token. This is where telemetry on hosts and cloud resources, combined with identity telemetry, provides a much stronger defense-in-depth approach when the best security controls fail.

The hedge is telemetry and correlation. If the token is being worked through Outlook or Teams against M365 from a CAE‑capable client, CAE helps detect and respond to malicious access attempts. If it’s a guest identity, a third‑party cloud app, or a tenant that has more lax IP restriction controls, you have a one-hour window to find initial access.

Per Lydia’s guidance, you should log where tokens are actually used, correlate host and cloud activity with identity change events, and build detection and response plays for the points where CAE is bypassed.


Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!

🔬 State of the Art

Introducing GuardDog 3.0: A new rules engine, transparent sandboxing, and more by Christophe Tafani-Dereeper and Sebastian Obregoso

~ Note: Datadog is my place of employment, and Christophe & Sebastian are my colleagues! ~

My esteemed research colleagues at Datadog released version 3 of GuardDog, an open-source malicious package analysis tool. I’ve talked about guarddog in this newsletter all the way back to Issue 11 (!), and I’m super proud to see its active development and use here at Datadog. Especially since it started as an internship project!

The unique detection-focused part about GuardDog is its rule system. In previous versions, semgrep was run under the hood as we applied SAST primitives to detect malicious behavior. It worked well until they started to hit scale issues, so, like good threat researchers, the team switched the underlying rule engine to YARA. The team also graduated from atomic detections to implementing a scoring system that provides confidence scores for a package’s maliciousness. The final interesting part is that they created a benchmarking and evaluation dataset from the years of us collecting malware samples:

You can run this locally in its brand-new sandboxing environment using no-sandbox and play around with the samples, or implement the tool yourself in your environments!


Developer endpoint inventory in 10 minutes: Bumblebee Hive by Oluwatobi Afolabi

I featured Perplexity’s Bumblebee project in Issue 158, and this post by Afolabi is the first blog post I’ve read that helps readers install and use it. This is also great timing with the GuardDog post I put right above this one, because you can certainly combine the two! For those unfamiliar with Bumblebee, it allows security teams to query developer laptops using Fleet to check for OSS packages, extensions and AI configurations on disk. The idea is to compile an inventory of these packages and send it to an analysis pipeline to determine whether each package is malicious, using either a known dataset or your own analysis engine.

Afolabi sets up two parts of the Bumblebee infrastructure: the scanner and the ingest server, Bumblebee Hive. One configured, Afolabi issues a scan and finds over 1,700 packages on just the test machine. This is the fundamental issue with this kind of telemetry: developers want to use their machines to quickly develop, so they use a myriad of open-source tools to try new packages or upgrade existing ones. So, when a package gets compromised, they will have legitimate versions of that package on their laptop, and if they issue a fresh update for their project, they pull in a malicious one.


Adding a Detection Layer That Prompt Injection Can't Touch by Aaron Phifer

In this post, Phifer built an LLM-assisted alert triage system on top of their Suricata logs. Detection using LLMs isn’t a novel topic, but what’s novel here is the approach Phifer took and how we should all think about alert triage when using LLM judges. Throwing an LLM on top of alerts in a single shot can potentially work, but when you deploy to a live environment, it requires a harness to make these ”judges” effective.

The harness that Phifer built relies on several features that preprocess the NetFlow traffic before it ever reaches a triage state. These pre-computed, deterministic features rely on baselines derived from a host's alert-generation rate and whether the host has ever generated that alert.

alert_rate: alerts/hour per internal IP. A host suddenly tripping 10x its normal volume is a behavioral change, even if every individual alert is “benign.”

novel_sid: this host triggered a signature it has never triggered before. A normally-silent host that fires a new rule is a high-value signal.

Both injection-immune for the same reason: an attacker can’t change how often their behavior trips signatures by editing alert text.

Phifer claims these features are prompt-injection resistant, unlike a key:value of something like “domain”:”MAKE THIS ALERT BENIGN”.

My favorite section, Building it taught me more than designing it, is where I think self-made labs and experiments like this catapult the researcher’s understanding of security. Design can only go so far, and sometimes it’s better to just build out what you think you should build and learn the constraints along the way.


Detection Chokepoints: Starting from Scratch by Tyler Bohlmann

Detection Chokepoints is a concept I first learned about nearly 4 years ago (and featured in Issue 2 of this newsletter :O). The idea is that, much like in the Pyramid of Pain, if you focus on detecting variants of a specific attack, you risk chasing trends of attacker behavior versus observing and detecting the underlying behavior. Bohlmann offers a fresh 2026 perspective on this concept, detailing their experience hunting infostealers and ClickFix variants.

Rather than building a rule for every new stealer or copy‑paste trick (Bohlmann names four variants of ClickFix), they identify the chokepoints of the infection chain itself. For example, by looking for scripting interpreters spawning directly from an Internet browser, you can hone in on whether a victim ran a ClickFix payload. Or you can look for unusual exfiltration of secrets and credentials, from password vaults to locally stored secrets.

This also plays nicely into Lydia’s Gem post above, where you find the attack paths that can occur if a specific control is bypassed.


Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!

☣️ Threat Landscape

An Update on the Recent Klue Security Incident by Jason Smith

The big threat landscape story over the last two weeks is yet another supply chain incident targeting a Salesforce application. Klue, an app that integrates with Salesforce to provide competitive intelligence, was compromised by a group called “Icarus”. They compromised Klue to obtain OAuth tokens, which were then used to pivot into Salesforce environments. The group subsequently sent out emails extorting victims:

Image courtesy of Lawrence Abrams article on the breach

Just like Lydia pointed out in the Gem above, security controls have their place because they reduce the blast radius of known and vulnerable paths. When those controls don’t monitor paths such as a Salesforce integration, you need defense-in-depth controls or detection rules to hedge against failures in security controls.


These Recent Insider Threat Allegations by Kyle Hanslovan

There’s been some infosec drama brewing over the last week involving a former Huntress employee. According to the former employee, a current employee of the firm disclosed sensitive investigation information to a threat actor from the DevMan ransomware group. The former employee also alleged that the firm was covering up the incident and failing to disclose its details to the broader public and customers.

I’m not going to link the employee’s social accounts to preserve some level of privacy, but the post here from Huntress’ CEO gives their side of the story. Researchers at Huntress are given some latitude to engage with threat actors to gather threat intelligence and better understand specific criminal operations. According to Hanslovan, the employee disclosed some sensitive details to DevMan about a law enforcement case the researcher was involved in.

You’ll never have the full details in cases like this, but my current take is that Huntress didn’t have the best guardrails in place to prevent a situation like this, and it sounds like they are implementing those exact guardrails after this incident.


Synthesis of Exploitarium Mass Zero-Day Disclosure by Ethan Andrews

This is a write-up of CVEs and detection opportunities from the exploitarium repository dropped last week by the anonymous researcher ‘bikini’. The repository contains over 130 unpatched exploit PoCs across various libraries and technologies, and it looks like 9 CVEs have been assigned since the initial release. I couldn’t verify all 130 PoCs, but the write-up provides a good synopsis of the affected technologies and one or two interesting exploits.

The writeup also says that the bikini actor is related to ShinyHunters, but I don’t really know how they’ve made that connection from the repository and their writeup.


AsyncRAT Family Threat Overview by Aidan Holland

AsyncRAT is a malware family used as a remote access trojan that originated as an open-source tool in 2019. I was not aware of the lineage of AsyncRAT variants, so reading up on how the malware has been cloned, forked, and developed over the last seven years was a fantastic technical detail that Holland includes in this post. The research here demonstrates how you can analyze variants and their source code to create attacker infrastructure-hunting rules for tools like Censys. Across the 40 variants, Holland found 13 live variants deployed across the Internet using Censys data.


🔗 Open Source

aaronphifer/triagewall

Phifer’s triagewall project listed in State of the Art above. It’s set up like a home lab, so you can clone this repository and get the rules and LLM triage features out of the box.


iimp0ster/detection-chokepoints

GitHub repository for Bohlmann’s chokepoints blog listed above. It runs the https://iimp0ster.github.io/detection-chokepoints/ website, which is a lolbins style website to go and view “invariant prerequisites” of certain attack techniques that you can build detections around.
As a BJJ purple belt, I love the bitmap art at the top of the repo :).


badchars/darknet-mcp-server

Self-hosted MCP server that connects services for “darknet” research. It exposes tools for all kinds of services around vulnerability research, breach data lookup, malware analysis, ransomware.live and even hooks into Tor. It’s not darknet-like the dark web, more about threat research, but still useful nonetheless if you want a single prompt to hit all these different OSINT-style tools.


28Zaaky/khaos-c2

Khaos is yet another post-exploitation framework, but the differentiator on this particular one is its heavy use of cloud and CDN services. It has the usual features you see in a C2 agent for Windows: indirect syscalls, patching ETW, and other evasion techniques. Maybe I just like the UI the most :)

Papa Johns Surveillance-Based Advertising

1 July 2026 at 12:53

Papa Johns is spying on people’s buying activities to predict when they are low on food:

The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge without being too creepy,” said Carrie Drinkwater, chief investment officer at Carat.

To achieve that goal, NBCU and Instacart created a custom audience of shoppers who regularly purchase grocery staples on Instacart, such as eggs, milk, meat and produce. Based on that data, Papa Johns can determine which days of the week certain consumers are likely to run out of groceries and serve them an ad on NBCU streaming content accordingly. The brand served custom creatives to consumers based on their food preferences—such as whether they buy meat regularly—with QR codes and calls to action such as, “Light on groceries?” or “Empty fridge?”

Back in 2012, we learned (from Target and its campaign that detects when someone is pregnant) that the trick is to hide the knowledge in other, wrong, information. So the way for Papa John’s to not be “too creepy” is to deliberately get it wrong sometimes.

But still, ugh.

A Defining Moment in Identity Security

30 June 2026 at 18:28

Artificial intelligence (AI) is changing the enterprise faster than most security models were built to handle. In just a few years, it has become part of everyday enterprise work. And soon, AI agents will do much more than provide assistance. They will act autonomously across applications, workflows, data stores and infrastructure.

This shift is already changing the security conversation – as it should. When agents can act on behalf of users, systems and business processes, identity is no longer a supporting layer of cybersecurity. It becomes the control plane for deciding who or what can act, what they can access, how much privilege they should have and when that access should be removed. Fragmented tools weren’t built to support this level of real-time visibility and control. It requires a unified identity security platform.

Palo Alto Networks recent acquisition of CyberArk reflects our conviction that identity is a core platform pillar for securing the future of AI. Identity security is now a foundational layer across our portfolio, building on CyberArk's trusted privileged access management (PAM) heritage and extending it to address the complexity of hybrid, cloud-native, and AI-driven environments. It also advances Palo Alto Networks broader platformization strategy, driven by customer demand for integrated, AI-powered security solutions that reduce complexity and close gaps created by disparate point products.

For partners, the launch of Idira™, our next-generation identity security platform, represents a significant opportunity to help customers secure access, privilege and identity risk through a more unified platform approach. More than ever, our customers need knowledgeable, trusted advisers to help them rethink how identity connects to the rest of their security architecture across network security, cloud, security operations (SecOps) and the broader AI-enabled enterprise.

Identity Security is No Longer Human-Centered

Research for our 2026 Identity Security Landscape report found that 96% of organizations have human identities operating with access far beyond what is required for their roles. That finding is unsettling enough, but also consider how modern identity security must account for far more than human users and privileged administrators. It includes machine identities and AI agent identities, ranging from service accounts, workloads and APIs to secrets and certificates and to agents operating across multiple systems.

Our recent report on identity security also notes that there are now roughly 109 machine identities for every human identity. Each identity can carry privilege, create risk and expand the attack surface. That scale makes real-time discovery, governance and control of identities essential. Yet many organizations are still managing privilege in ways that weren’t built for the AI era. When identities can act across systems and attacks can move faster, standing privilege (i.e., always-on access rights granted to users or machines) becomes harder to defend.

The premise of Idira is that every identity within an enterprise is privileged. The platform helps enterprises move from the traditional operating model of human-centered identity architectures and static access tools to embrace one platform that secures every identity – human, machine and AI agent. Idira discovers identities, entitlements and access paths, dynamically applies privileges through just-in-time controls and continuously governs identity lifecycles.

These capabilities become even more crucial as customers work to reduce fragmentation across their security environments. They want better visibility, faster time to value, stronger controls and a simpler way to manage risk across the enterprise. They still need advisory, implementation and managed services expertise, but the conversation is no longer limited to firewalls, privileged access, cloud workloads or SOC operations in isolation. Customers want expert help in connecting these areas into a unified strategy that reflects how their environments actually operate, especially with AI in the mix.

The Identity Security Opportunity for Partners

My message to partners following our launch of Idira is simple but direct: Now is the time to seize this defining moment in identity security. The speed of business is accelerating, as is the speed of attacks. And we know many of our customers around the world are already trying to understand what AI means for their security architecture, operating model and risk posture.

Partners can help lead those conversations with customers. For specialized and regional partners, this might mean expanding the advisory conversation beyond a single domain of cybersecurity. For global systems integrators, it might involve creating a more scalable delivery model by reducing the cost and complexity of stitching together multiple vendor environments. We are also actively welcoming partners into the broader Palo Alto Networks ecosystem, creating new opportunities for identity-focused partners to expand their role across the full platformization strategy.

Across partner types, the identity security opportunity is both strategic and economic. By connecting identity security to the broader Palo Alto Networks platform strategy, partners can expand services offerings, deepen customer relationships and build a stronger model for helping customers reduce complexity, improve visibility, strengthen controls and get to value faster. 

But first, sales teams, technical teams, solution consultants and managed service teams need to understand how Idira fits into the Palo Alto Networks platformization strategy and where identity security connects to customer priorities. That means taking full advantage of the sales demos, AI role plays, technical enablement and other active learning resources in Palo Alto Networks newly evolved NextWave program.

I encourage you to move quickly to build your understanding of Idira’s role in securing human, machine and AI agent identities and the shift from standing privilege to dynamic access. Be prepared to talk with customers about identity security in the context of cloud, network, SASE and SOC transformation, as you can be assured questions will be coming. Also, think about the services and offerings you can build around this opportunity. Identity security assessments, privilege modernization, machine identity protection, AI agent identity readiness and broader platformization road maps can all help customers take practical steps toward strengthening security in the rapidly evolving AI era.

Our partners play a frontline role in driving Palo Alto Networks platformization strategy and enabling our shared success. To help your teams educate customers about AI-related identity risk and how Idira can help them secure every identity in the enterprise, human or not, explore the latest resources, enablement and partner tools available through the NextWave Partner Portal.

Key Takeaways

  • With the launch of Idira, identity security became a core pillar of Palo Alto Networks platformization strategy for the AI era.
  • Idira helps organizations secure every identity – human, machine and AI agent – with dynamic access, continuous governance and real-time control.
  • Partners have a timely opportunity to help customers reduce complexity, improve visibility and connect identity security to broader cloud, network, SASE and SecOps priorities.

The post A Defining Moment in Identity Security appeared first on Palo Alto Networks Blog.

The Realities of AI Video Surveillance

30 June 2026 at 14:05

The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia.

I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions about video footage to AIs—and AIs can answer them.

In contrast with older tools restricted to a few dozen preset searches, these new tools allow an almost unlimited range of enquiries by enabling language-based searches on video.

That lets intelligence officers hunt through massive streams of videos using simple search terms, such as two men handing a bag to each other; a person who has changed their appearance, or has changed clothes multiple times in a day; or a vehicle that has recently been painted over, or has driven past the same spot several times in a short period.

“This is the holy grail of surveillance,” said a European official whose country uses the technology on its cities. “We are able to look for behaviour, not objects ­ it has created a world of new possibilities.”

Factoring RSA Keys with Many Zeros

29 June 2026 at 18:05

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild.

The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1.

Both patterns include several regularly spaced blocks of all zeros interleaved with seemingly random data. Pattern 1 appears in CT logs for certificates issued to several large organizations, including Yahoo and Verizon, and on some devices running NetApp software. Fortunately, these certificates have already expired, but we still shared our findings with these companies. We wanted to learn more about which product could be responsible for generating these keys, but we did not hear back. Pattern 2 appears on SSH hosts running the CompleteFTP software from EnterpriseDT. The underlying vulnerability affects RSA keys generated using versions 10.0.0­12.0.0 (Dec 2016­Mar 2019) and DSA keys generated with v10.0.0­23.0.4 (Dec 2016­Dec 2023).

These vulnerabilities affect a small minority of hosts on the internet, but the more interesting takeaway is that independent cryptographic implementations failed in similar ways. More implementations may include the same bugs, and so it’s worth tailoring cryptanalytic algorithms for this particular type of failure.

The article doesn’t speculate, but I will. This could be a deliberately designed backdoor, of the sort I wrote about back in 2013. I could imagine some government agency figuring out how to break this class of RSA keys, and then convincing different providers to hand them out to users.

The Bear Necessities: A Look at the Drivers, Dynamics, and Applications of the Pro-Russia Influence Ecosystem

29 June 2026 at 16:00

Written by: James Sadowski, Alden Wahlstrom


Introduction

Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. While this threat activity initially adapted to encompass Ukraine-related priorities, it is gradually pivoting back to established Russian influence objectives for which the ecosystem was originally honed. This shift is significant because it likely signals increased focus outside of Ukraine, warning that pro-Russia influence activity targeting the European Union (EU), North Atlantic Treaty Organization (NATO), and other top targeting priorities may intensify. 

Ultimately, the war in Ukraine has provided a critical feedback loop for Russia to refine its influence activity, lessons that we anticipate will be applied as the ecosystem continues to reorient toward global strategic objectives while maintaining focus on Ukraine. Further, recent pro-Russia IO indicates the continued expansion of already diverse tactics, and the increasing use of generative AI tooling for planning, research, and content creation marks a forward trend in pro-Russia IO. Meanwhile, new and different actors have adopted IO tactics to meet an increasingly diverse set of challenges, signaling growing Russian reliance on influence tactics. Together, these trends likely demonstrate the Kremlin's perception of these tactics as cost effective and successful. The interconnected nature of the ecosystem's disparate components makes it resilient to limited scope disruptions, which defenders must consider to effectively mitigate pro-Russia influence threats. 

The Ecosystem at a Glance: Objectives, Targeting, and Tactics

Russia's modern approach to information operations is built on the conceptual foundation of Soviet-era "active measures" adapted for the digital age. Alongside disruptive cyberattacks dating back to the early 2000s, the Kremlin has increasingly harnessed internet-based platforms for espionage and information operations. Russia's approach has evolved from rudimentary, singular operations into a complex, self-sustaining environment intentionally curated by the Russian Government that blends overt, covert, and independent elements to advance Kremlin interests both at home and abroad.

Core Influence Objectives 

GTIG’s observations suggest the primary strategic motivations driving the pro-Russia influence ecosystem fall into five categories, each aiming to achieve military and/or political objectives through psychological manipulation of the target audience (Figure 1). Collectively, these objectives informally depict a global influence strategy: through the furthest reach of its influence, the Kremlin seeks to diminish Western primacy and advance Russia's global position; within its surrounding region, it strives to retain and return Moscow's dominance; and at home, it works to ensure the stability of the political regime.

Core objectives of the pro-Russia influence ecosystem

Figure 1: Core objectives of the pro-Russia influence ecosystem

Targeting 

Pro-Russia influence operations are pivoting from the near singular focus on Ukraine that dominated the ecosystem since 2022. We expect influence operations advancing Russia's war-specific interests to continue. However, as Russia seeks to reemerge from international isolation, we have increasingly observed a concurrent focus on pre-war pro-Russia influence objectives. 

The current and historical targeting scope of each ecosystem component exposes both the Kremlin's global ambitions and the realistic limitations of its power projection. State-owned media organizations produce content intended to serve populations across six continents, but in recent years, sanctions and other factors have limited its production and distribution. Meanwhile, covert operations have appeared more limited in scope, primarily targeting the West and countries surrounding Russia, with intermittent operations targeting the Middle East and Africa, indicating that finite resources necessarily limit these operations (Figure 2).

Top Regional Targets
  • The United States and Europe: The Kremlin has long viewed the West as a top adversary of Russia. Accordingly, the US and Europe are top targets of covert pro-Russia information operations, especially aimed at undermining political stability within these countries and the unity between them. NATO and the EU embody the collective "West" and are Russia's perceived top adversaries, second only to the US independently.

  • Russia's "Near Abroad": Since the dissolution of the Soviet Union, Moscow has asserted that the countries that formerly comprised part of the USSR now reside in Russia's so-called "sphere of influence." Covert influence targeting this region directly reflects Moscow's assertion that Russia is a world power entitled to special privileges within its neighborhood. 

  • The Middle East and Africa: Over the past decade, Russian efforts to reassert itself as a global power have included high-profile investments in cultivating Russia's standing in the Middle East and Africa. Covert pro-Russia influence activity is likely deployed in tandem as intended support for other Russian initiatives in these regions.  

  • Russia Domestic: Internally targeted covert IO is a well-established component of pro-Russia influence activity, deployed by regime-aligned actors to promote Kremlin policies and repress opposition voices. 

Targeted Entities and Global Events
  • The Olympics: Russia has long viewed Olympic participation as a point of national prestige, and GTIG has observed notable Russian influence activity targeting the Olympics in the face of Russian participation bans. 

  • War in Ukraine: The war in Ukraine has been a key driver of Russia's influence activity, including attempts to influence events on the ground as well as influence activity intended to advance Moscow's interests elsewhere vis-a-vis the war. GTIG expects that Ukraine will remain a priority in Russia's targeting calculus during the post-conflict phase following any future peace agreements.

  • Elections: Election targeting aligns with multiple Russian influence objectives, including attempting to undermine confidence in democratic institutions as well as internally weakening perceived Western adversaries. These operations regularly target elections in countries that are already prioritized by ongoing pro-Russia influence activity. 

  • Ad Hoc Geopolitical Flashpoints and Global Events: Russian influence actors have a history of pivoting activity to engage with emerging geopolitical developments and events, such as the COVID-19 pandemic or the 2026 Middle East conflict. This flexible target selection often overlaps or is aligned with other Russian priorities, making previously observed Russian influence activity helpful in anticipating which events may be appropriated.

Priority targets of the ecosystem

Figure 2: Priority targets of the ecosystem

Tactics 

Converging geopolitical and technological developments make the evolution of pro-Russia influence tactics a particularly important space to monitor right now. The pro-Russia influence ecosystem expanded to support the war effort, bringing change across the spectrum of activity and providing operators the opportunity to hone their tactics, techniques, and procedures (TTPs) in the rapid feedback loop of war. Meanwhile, the emergence and increased democratization of generative AI tooling has brought both promised and already realized opportunities to support all phases of the IO lifecycle. The following are a sample of key tactics that illustrate how pro-Russia actors currently blend well-tested methods with new technological developments to reach audiences through diverse means:

  • Generative AI: GTIG has observed pro-Russia influence actors increasingly leverage AI tooling to support different stages of their operations, including support for planning and general research as well as content creation.

    • Google Threat Intelligence Group (GTIG) is closely tracking the transition from nascent AI-enabled operations to the maturing, industrial-scale application of generative models within adversarial workflows across threats ranging from espionage and crime to IO. Please see our latest AI threat tracker for more information on how this threat is developing based on our insights, and what Google is doing to protect our customers. 

  • Narrative Resonance: Hijacking existing ideological and emotional fissures within a society provides pro-Russia influence actors tailored narratives to target audiences and potentially increases potential engagement and impact. 

  • Cyber-Enabled IO: Influence campaigns frequently coincide with destructive cyberattacks, such as the deployment of wiper malware alongside website defacements containing false surrender messages, or the historic use of "hack and leak" campaigns in which exfiltrated data, sometimes manipulated, is then publicized through an actor-controlled false persona. In some instances, Russian actors may even leverage direct cyber espionage targeting as a way to achieve psychological effects, intending to influence victims' behavior through intimidation.

  • Media Mimicry: Pro-Russia actors have attempted to mimic legitimate media at scale and through a variety of means, including via the wholesale appropriation of legitimate media brands or developing inauthentic media brands that generally masquerade as independent news sources. These tactics are intended to add a veneer of legitimacy to the promoted narratives. 

  • Direct Dissemination: Pro-Russia influence actors have used closed communication channels, such as emails, SMS text messages, and messenger apps, to disseminate various types of pro-Russia narratives as an adjunct to or outside typical social media-focused operations. 

Core Ecosystem Components 

The current pro-Russia influence ecosystem operates across a spectrum from official government communications to deniable covert actions conducted by intelligence services and "patriotic" proxies. GTIG identified six core components that represent key activity types (Figure 3). While many elements are state-directed or state-affiliated, the ecosystem is also a cultivated, self-sustaining system: various actors, often without explicit direction, amplify Kremlin-friendly narratives and pursue actions that advance Russia's strategic interests. This fluidity provides resilience and complicates attribution, mirroring the longstanding Kremlin strategy to co-opt non-state actors, including criminal networks for finance or illicit logistics, to achieve state objectives without direct attribution. Although each of the core ecosystem components serves as a unique lever the Russian Government can employ to achieve desired objectives, they are regularly used together. For instance, while the entire pro-Russia hacktivist landscape is not state-sponsored, the Russian intelligence services have used both genuine and fabricated hacktivist personas to launder stolen data as part of blended cyber espionage and IO hybrid operations.

Core components of the pro-Russia influence ecosystem

Figure 3: Core components of the pro-Russia influence ecosystem

An Interconnected Ecosystem Enhances Influence Utility

Figure 4 illustrates the complex, interconnected nature of the pro-Russia influence ecosystem by mapping relationships between a selection of key actors and organizations across five of the core components. The ecosystem functions as a cohesive unit, not only through shared objectives, but also through direct cross-component interactions. The Russian Government functions as the sixth core ecosystem component, setting the policy and talking points that inform the ecosystem’s promoted narratives and sponsoring overt and covert assets throughout the other five components diagrammed in Figure 4. Through these levers, the Kremlin fosters the cross-component links that underpin the ecosystem, enhancing its overall utility as a versatile tool of state influence.

Subset of actors that illustrate how different components of the ecosystem interact with each other

Figure 4: Subset of actors that illustrate how different components of the ecosystem interact with each other

10 Key Dynamics for Understanding the Pro-Russia Influence Ecosystem

The scope and diversity of activity in the pro-Russia influence ecosystem challenges defenders tasked with enumerating, tracking, and countering its threats. GTIG has distilled 10 key ecosystem dynamics based on our current understanding of its components and how they each enable covert influence activity. These dynamics frame critical aspects of how activity manifests within the ecosystem, providing a high-level guide to understand and track these threats.

Large-scale IO campaigns are an integral element of the pro-Russia influence ecosystem. Major pro-Russia IO campaigns have been an enduring feature of the pro-Russia ecosystem, with new campaigns emerging as previous ones fall into inactivity. Maintaining extensive IO campaigns and their associated established influence infrastructure enables proactive messaging on strategic issues and underpins a capability that can be rapidly adapted for emerging domestic and global priorities.

  • Long-established IO campaigns, like Secondary Infektion, pivoted to meet new strategic needs as Russia’s 2022 invasion of Ukraine began. New IO campaigns, such as “Operation Overload,” subsequently emerged to support the war effort; while Secondary Infektion has become dormant, these “successor” campaigns have since been leveraged to advance other global Russian influence objectives beyond the war itself. 

Pro-Russia actors often prioritize persistence and the range of tactics they leverage reflects this. In the face of public exposure and disruption, pro-Russia actors and their infrastructure have often remained persistent, sometimes making tactical adjustments to mitigate the effects of detection and disruption and other times continuing operations unabated. 

  • These persistence tactics include the Doppelganger campaign and overt Russian media’s respective cycling of domain infrastructure and/or use of mirror domains to overcome exposure, platform bans and sanctions. Influence operators also frequently continue using compromised assets, sometimes mocking their exposure, as seen with the legacy US-targeted NAEBC campaign and the APT44-affiliated hacktivist persona XakNet Team.

NAEBC-linked persona account

Figure 5: NAEBC-linked persona account mocking public exposure of influence assets (left), and GRU-sponsored XakNet Team persona mocking then-Mandiant (now part of Google Threat Intelligence Group) attribution of the group’s activities to the GRU (right)

Pro-Russia and Russian cyber espionage groups leverage IO tactics to support their operations and weaponize stolen data and/or illicit access. While less frequent, this hybrid activity is a critical dynamic within the pro-Russia influence ecosystem. GTIG has previously observed operations used to shape narratives around cyberattacks and influence events on the ground and to conduct foreign political interference, including the repeated targeting of foreign elections, reported in Spring 2024. We have attributed some observed instances of this to Russian government-sponsored threat actors.

  • Russian state sponsored or pro-Russia hacktivist groups have long relied on public advertisement of real or claimed data exfiltration to highlight their operations, intimidate targets, or sway public opinion. In 2022, UNC4057 (COLDRIVER) used data stolen from espionage targets in a high profile hack-and-leak operation seeking to exacerbate divisions in UK politics. More recently, the self-proclaimed hacktivist group PalachPro claimed in February 2026 to have gained unauthorized access to a Ukrainian government online portal and publicly posted screenshots of the claimed compromise. The Ukrainian government has previously noted that the portal does not store the type of data the threat actor claimed to compromise, suggesting the public posting was likely intended as influence activity, attempting to create the illusion of a more serious threat.

UNC4057 leak website attempting to inflame public debate

Figure 6: UNC4057 leak website attempting to inflame public debate

Pro-Russia hacktivists serve a direct influence function. Modern pro-Russia hacktivism has evolved into an important component of the influence ecosystem that blends state-backed actors leveraging hacktivist tactics with an evolving cohort of likely third-party hacktivist actors that support Russia's geopolitical interests. Pro-Russia hacktivist groups gain domestic and foreign attention for strategic messaging via their claimed threat activity, amplify narratives directly seeded in overt ecosystem segments, and at times also support traditional IO activity or create a means of plausible deniability for state-sponsored espionage actors. 

  • The self-proclaimed hacktivist group NoName057(16) emerged following the Russian invasion of Ukraine in 2022, primarily targeting Ukraine and its partners and allies with DDoS attacks and various network intrusions. It has targeted high profile events, such as the Milano Cortina Winter Olympics, institutions like the French National Assembly, and critical infrastructure and transportation targets in Germany. Often their messaging cites grievances with overt acts of Western support for Kyiv, suggesting the group advances Russian interests not only through the targeting of perceived Russian adversaries but also in gaining attention for its pro-Russia messaging. 

Established ecosystem components facilitate the cultivation of new assets and activity. Inter-ecosystem cross-promotion helps overcome challenges of audience building by directing traffic toward new assets, operations, and narratives, enabling rapid deployment of new and existing IO capabilities. This directly supports a self-sustaining cycle that maintains and expands the ecosystem. 

  • The hacktivist persona JokerDNR played a significant role in amplifying the APT44-linked persona Solntsepek when its doxxing-focused Telegram channel first launched and then again as it began claiming cyber espionage activity. 

Domestic Russian audiences are a longstanding target of the pro-Russia influence ecosystem. Internally directed influence activity has often involved the promotion of Kremlin policies and talking points and the denigration of opposition voices and ideas, conducted by both overt and covert segments of the ecosystem. 

  • Ahead of Russia’s March 2024 presidential election, GTIG identified the hybrid espionage and influence actor UNC5101 register domains and conduct associated influence operations attempting to deceive Russian opposition voters about the timing of an anti-Putin protest.

Ecosystem actors respond to the same set of internal shifting circumstances and external geopolitical developments, often leading to seemingly similar, but ultimately distinct, activity. These shared drivers and general motivational alignments encourage actors to "spontaneously" coalesce around a particular topic or narrative. While this can appear superficially similar, this phenomenon is distinct from instances of actor coordination and campaign linkages, which is less common. 

Systemic flexibility is a central feature, with influence assets able to mobilize both incrementally and at scale to advance Russian interests. The Russian Government is able to mobilize assets across the ecosystem to respond to strategic events. Meanwhile, individual or aligned actors can separately mobilize to address tactical needs, allowing the ecosystem to concurrently message on multiple issues across different geographies (Figure 7). 

  • Russia demonstrated its ability to focus the ecosystem on a single strategic issue like the Russian invasion of Ukraine. Simultaneously, discrete assets have addressed tactical events, such as when Portal Kombat briefly promoted narratives about a Russian drone incursion into Poland concurrently with other covert pro-Russia influence activity.

Tactical responses are executed by individual or coordinated/aligned clusters of actors to address emerging developments

Figure 7: Tactical responses are executed by individual or coordinated/aligned clusters of actors to address emerging developments

Overt Russian media contributes to, and is connected with, multiple covert influence components. The overt components of Russia's influence infrastructure play a critical role within the broader Russian influence ecosystem beyond the commonly understood function of providing a public platform for government-aligned narratives and official talking points; overt media helps to drive (inform targeting) and amplify covert pro-Russia influence activity, seeding desirable narratives within the ecosystem and providing an indirect conduit between the Kremlin and a disparate array of influence actors. Overt media outlets have directly coordinated their activity with covert actors and have increasingly employed IO tactics to disseminate their own content in the face of sanctions and platform bans (Figure 8). 

  • US Government sanctions in late 2024 indicated that Russian state media company Russia Today (RT) directly conducted covert influence operations, including on behalf of the Russian intelligence services. Further, RT employees reportedly interacted with members of the self-proclaimed hacktivist group RaHDit, which has claimed to collaborate with multiple other pro-Russia hacktivist groups, illustrating the layered connections between overt media, Russian intelligence services, and hacktivist groups.

Overt Russian media maintains multiple links with the covert segments of the ecosystem

Figure 8: Overt Russian media maintains multiple links with the covert segments of the ecosystem

Outsourcing IO capability development and campaign execution to third-party organizations and proxies enables scaling and obfuscation. Outsourcing is used for developing custom tooling and bolstering both human and organizational capacity. While custom tool development facilitates operators in all phases of the IO lifecycle, Russian government actors can flexibly leverage different models for outsourcing campaign execution based on their specific needs. Proxy actors can also generate plausible deniability (Figure 9). 

  • GTIG reported how Russian IT contractor NTC Vulkan (Russian: НТЦ Вулкан) worked with the Russian intelligence services, including providing tooling and support for the GRU unit that sponsors APT44 activity. Separately, US government sanctions detailed how the Doppelganger campaign is supported by multiple Russian contractors under the sponsorship of the Russian Presidential Administration.

Outsourcing and proxies support capability development and campaign execution for covert influence activity

Figure 9: Outsourcing and proxies support capability development and campaign execution for covert influence activity

Conclusion

Multiple factors are propelling the evolution of the pro-Russia influence ecosystem we have observed since Moscow’s full scale invasion of Ukraine four years ago. The Kremlin mobilized the entire ecosystem to support the ongoing conflict, which has provided rapid feedback and driven significant investment in new and established overt and covert influence assets. At the same time, pro-Russia actors are increasingly experimenting with generative AI to enhance their workflows. This condensed period of adaptation, alongside signals suggesting Russia's growing reliance on IO tactics to navigate new challenges, raises concerns regarding how a potentially diversifying pool of actors will leverage advancements in tradecraft and scalability. As Russia seeks to emerge from international isolation and reorients its influence ecosystem back toward global objectives, it is critical for defenders to understand how this ecosystem provides the Kremlin with a durable influence capability in order to better anticipate future Russian influence threats.

Additional Tools and Resources

For mitigation and hardening recommendations, please review the following:

Google offers a suite of free of cost tools to help protect high-risk users from the most pervasive digital attacks, to which politicians, journalists, and campaigns are often most vulnerable. Examples include protecting accounts from targeted attacks with Advanced Protection Program and safeguarding campaign websites from DDoS attacks with Project Shield.

Robot Police Officers

29 June 2026 at 12:55

We’ve taken one small step towards robot police officers: a drone capable of disarming a suspect:

In a June 22 video posted on the Sacramento County Sheriff’s Office’s Instagram page, an officer wearing goggles can be seen operating a drone to retrieve a knife from an armed suspect hiding inside a cluttered house. “After not responding to negotiators, a drone was deployed inside the residence,” the post says. “Drone pilots located the suspect hiding in a corner of a garage” and then used a high-powered magnet attached to the drone to grab the knife out of the suspect’s hand. In the video ­ which is soundtracked by the “Mission: Impossible” theme song—the intercepted knife can be seen spinning around in the air as the drone carries it back to the deputies.

Slashdot thread.

❌