Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration.
The activity, dubbed Operation CargoTalon, has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901).
"The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one

Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor

National governments warn that many hacker groups attract young people through a sense of community, fame, or the promise of money and the perception of a lack of risk of prosecution.

The Young and the Restless: Young Cybercriminals Raise Concerns

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.
The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.
Soco404 "targets both Linux and Windows systems, deploying platform-specific malware," Wiz

Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks

A recent analysis of enterprise data suggests that generative AI tools developed in China are being used extensively by employees in the US and UK, often without oversight or approval from security teams. The study, conducted by Harmonic Security, also identifies hundreds of instances in which sensitive data was uploaded to platforms hosted in China, raising concerns over compliance, data

Overcoming Risks from Chinese GenAI Tool Usage

Phishers are using legitimate looking Instagram emails in order to scam users.

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites.

The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:

> “Hi {name}  
> Someone tried to log in to your Instagram account.  
> If this was you, please use the following code to confirm your identity:  
> 231342  
> If this wasn’t you, please \[Report this user\] to secure your account.”  

Instead of linking to a phishing website, which is most common with emails like this, both the “Report this user” and “Remove your email address” links are mailto: links. Clicking on a mailto: link opens your default email program with a pre-addressed message with the subject line “Report this user to secure your account” or “Remove your email address from this account” for the second link.

The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones. We call this technique of registering domain names “typosquatting.”

In the case we researched the email addresses were:

*   prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
*   ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
*   technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
*   service@boss[.]eu.com (several possibilities)
*   threaten@famy[.]in.net (science news site, possibly compromised)
*   difficulty@blackdiamond[.]com.se (known malicious domain)
*   anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

We sent an email to these addresses from a dummy account to see what happened. Unfortunately, most of them were dead in the water when our email reached them. However, we did find that a lot of the servers were hosted at the same IP address.

Research of the IP address showed that there were many more domains set up, likely with the same objective in mind.

**Why mailto: links?**

Many email filters look for links to malicious domains and new ones get added fairly quickly, so the domains and emails are only useful for one day (on average). Using mailto: links can therefore help attackers avoid automated flagging or URL reputation checks.

It also saves the cybercriminals work. They don’t need to set up a fake website, which in this case would be an Instagram clone, or all the back end infrastructure needed to harvest the credentials. All they need to do now is watch the email inbox and wait for victims.

Receiving an email validates that the email address the phishing mail was sent to is active and someone is using it. That opens the victim up for further attempts. By engaging in a conversation, attackers can directly request sensitive information in a less obvious way than with a phishing form, often through continued correspondence.

Victims may feel safer replying to an email than clicking on a suspicious link. The fear of instant repercussions is smaller when you’re sending an email than for visiting an unknown website.

In March, 2025, security awareness provider Phishing Tackle reported about a phishing campaign targeting Meta users, which aimed to steal access to Instagram business accounts. The scam used step-by-step instructions and fake chat support to trick users.

In that case, the scammers threatened users with a suspension of the account due to advertising violations, but it showed once more that influential Instagram accounts are an attractive target for phishers. They can use compromised accounts for other campaigns or sell the harvested credentials to other cybercriminals.

But even if you’re not a business or bedecked with followers, if someone compromises your Instagram account they can lock you out and then demand money to give you back the account. Sadly, many people feel forced to pay because they don’t want to lose years of photos and their associated memories.

**How to avoid Instagram phishing**

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

*   As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Instagram or Meta.
*   Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
*   If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
*   Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
*   Do an online search about the email you received, in case others are posting about similar scams.
*   Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

 Watch out: Instagram users targeted in novel phishing campaign 

Chennai, India, 25th July 2025, CyberNewsWire

**Chennai, India, July 25th, 2025, CyberNewsWire**

xonPlus, a real-time digital risk alerting system, officially launches today to help security teams detect credential exposures before attackers exploit them. The platform detects data breaches and alerts teams and systems to respond instantly.

Built by the team behind XposedOrNot, an open-source breach detection tool used by thousands, xonPlus gives organizations instant visibility when their email addresses or domains appear in breach dumps or dark web forums.

Every day, credentials are exposed in data breaches, often without the affected organizations being immediately aware. In many cases, security teams are first alerted to incidents through ransom demands, threat intelligence reports, or internal support tickets. xonPlus addresses this challenge by providing real-time monitoring of enterprise assets, delivering alerts within minutes of confirmed credential exposure.

> “We kept hearing the same thing: teams had good security stacks, but still found out about exposed credentials too late,” said Devanand Premkumar, Founder of xonPlus.

One compromised login is enough to pivot inside a network. xonPlus gives teams the early warning signal they’ve been missing.

**Built on Proven Foundation**

xonPlus leverages the intelligence infrastructure of XposedOrNot, which has tracked 10+ billions of breach records over the last 8 years and serves millions of queries globally. The platform runs on secure infrastructure powered by Cloudflare and Google Cloud, ensuring enterprise-grade reliability and performance for security-critical operations.

**Key Capabilities**

*   **Real-Time Detection**: Getting alerts within minutes when company credentials appear in a breach, including breach source, exposure date, and recommended next steps.
*   **Seamless Integration**: Works with existing security infrastructure, including SIEM, Slack, Microsoft Teams, and email systems.
*   **Developer-First API**: High-throughput API with rate limits, auth tokens, and audit logs for embedding breach intelligence into security workflows.
*   **Enterprise Scale**: Monitoring unlimited domains and millions of email addresses with customizable alert thresholds.

**Addressing Market Need**

Unlike large threat intel platforms requiring long contracts and complex setups, xonPlus offers transparent monthly pricing with 5x to 10x cost efficiency compared to traditional costly solutions. It complements existing security stacks by focusing purely on breach exposure detection.

The platform serves three primary use cases: 

*   **xonEnterprise** for domain-wide monitoring, 
*   **xonConsumer** for customer breach alerts, and 
*   **xonAPI** for developers building security tools.

**Target Market**

**xonPlus** is designed for security teams needing earlier breach visibility, startups and SMBs without full SOC coverage, developers integrating breach detection capabilities, and risk teams focused on account takeover prevention and minimizing ransomware infections.

Teams using xonPlus have cut detection time from weeks to minutes, enabling them to lock compromised accounts before attackers gain access.

**Availability**

xonPlus is immediately available as a SaaS platform with monthly subscription plans.

**Users can learn more**: https://plus.xposedornot.com/

**Users can launch the story**: https://blog.xposedornot.com/xonplus-launch/

**About xonPlus**

xonPlus is built by the team behind XposedOrNot, the open-source breach detection platform that has helped millions of users check their exposure to data breaches. Based in Chennai, India, the company focuses on making breach intelligence accessible to security teams of all sizes.

**Contact**

**Founder**  
**Devanand Premkumar**  
**\[email protected\]**

xonPlus Launches Real-Time Breach Alerting Platform for Enterprise Credential Exposure

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mvw6-62qv-vmqf: Koa Open Redirect Vulnerability

Starting today, UK adults will have to prove their age to access porn online. Experts warn that a global wave of age-check laws threatens to chill speech and ultimately harm children and adults alike.

Beginning today, millions of adults trying to access pornography in the United Kingdom will be required to prove that they are over the age of 18. Under sweeping new online child safety laws coming into force, self-reporting checkboxes that allow anyone to claim adulthood on porn websites will be replaced by age-estimating face scans, ID document uploads, credit card checks, and more. Some of the biggest porn websites—including Pornhub and YouPorn—have said that they will comply with the new rules. And social media sites like BlueSky, Reddit, Discord, Grindr, and X are introducing UK age checks to block children from seeing harmful content.

Ultimately, though, it's not just Brits who will see such changes. Around the world, a new wave of child protection laws are forcing a profound shift that could normalize rigorous age checks broadly across the web. Some of the measures are designed to specifically block minors from accessing adult material, while others are meant to stop children from using social media platforms or accessing harmful content. In the UK, age checks are now required by websites and apps that host porn, self-harm, suicide, and eating disorder content.

Protecting children online is a consequential and urgent issue, but privacy and human rights advocates have long warned that, while they may be well-intentioned, age checks introduce a range of speech and surveillance issues that could ultimately snowball online.

“Age verification impedes people’s ability to anonymously access information online,” says Riana Pfefferkorn, a policy researcher at Stanford University. “That includes information that adults have every right to access but might not want anyone else knowing they’re consuming—such as pornography—as well as information that kids want to access but that for political reasons gets deemed inappropriate for them, such as accurate information about sex, reproductive health information, and LGBTQ content.”

Efforts that have been mounting over the past decade to introduce strong age checks online have recently gained traction. Last month, the United States Supreme Court paved the way for states to require porn websites to check that visitors are at least 18 using age-verification technologies. Pornhub, for example, has already blocked access to visitors in at least 20 states as laws have been passed. Meanwhile, courts in France ruled last week that porn sites can check users' ages. Ireland implemented age checking laws for video websites this week. The European Commission is testing an age-verification app. And in December, Australia’s strict social media ban for children under 16 will take effect, introducing checks for social media and people logged in to search engines.

“If people choose not to log on \[to search engines\] to avoid age assurance checks, this could have a wide-reaching impact on the streamlined, integrated ways people search for online information,” says Lisa Given, a professor of information sciences at RMIT University in Australia who has been closely following the country’s age-checking policies. “It will also affect the level of privacy people have come to expect from being able to search freely online, which may change how and where they search for information.”

****Coming of Age****

Though the recent wave of court decisions and legislation around age verification is new, multiple online platforms and services have required some form of age checking for years. The British age-verification company Yoti, which works on multiple digital identity technologies including face scanning to estimate ages, says it has done more than 850 million age checks and completes more than 1 million per day. “Brands around the world in different sectors are using this technology, including social media, gaming, adult, dating, retail, and vaping,” a Yoti spokesperson told WIRED in an email.

Age-verification mechanisms come in multiple forms. The UK’s Online Safety Act, which is being overseen by communications regulator Ofcom, lists seven “highly effective” approaches that websites can use. Typically websites will employ third-party companies from the growing age-assurance industry rather than checking ages directly themselves.

Standard age verification is done by uploading a form of government identification and a selfie, using a digital identity service, or submitting credit records or other financial documentation. There are also age estimation services. For example, “email-based” age estimation, according to the UK’s Ofcom, will analyze data on where your email address has been used and for how long as part of a calculation of how old you are. Age estimation services that try to predict someone’s age from a selfie or a video are also increasingly common. Their performance varies, though, depending on how accurate the underlying algorithms are. Many systems offer accuracy of “plus or minus 18 months.” Some physical stores in France that sell tobacco already use facial estimation systems as well.

There are potential privacy and security risks that come with all the approaches, though, such as excessive data gathering, government surveillance, and the threat of data breaches. And opponents of age verification argue that the technologies are not reliable and can be circumvented. Last year, for example, an Israeli ID-verification company exposed driver's licenses and other sensitive data because of a technical oversight. A study commissioned by Green politicians in Europe last year concluded that, while there were some “promising” privacy-preserving methods for age checks, there is ultimately “misalignment between the urgency with which governments are pushing for age assurance and the time needed to develop robust, safe, and trustworthy age assurance technology.” Preliminary results released in June from a study in Australia found multiple problems with age-checking systems.

“The question isn't whether there will be a data breach connected to age verification, it's when,” says Alison Boden, executive director of Free Speech Coalition, a US-based adult entertainment industry trade association. “So, people circumvent the laws. In the best case, they use VPNs to protect their identities. And in the worst case, they turn to websites that flout the law, and then risk being exposed to illegal content like child sexual abuse material and nonconsensual intimate imagery. And this is all in service of policies that have clearly been shown to be ineffective.”

In general, many porn sites and other adult content platforms say that they are in favor of age checks but don’t agree with current approaches.

Proponents of age verification say that it is possible to minimize data collection. Third-party providers can limit the personal information that is shared with individual sites conducting age verification. And, particularly, these third parties can use what are known as authentication tokens, so people can confirm their age once and then produce this credential across multiple sites and providers as verification.

“Our members do over a billion anonymized age checks a year, so our best argument is our track record—and we know that will just continue to improve because of the strict application of data minimization principles,” says Iain Corby, the executive director of the industry group Age Verification Providers Association. “There is no need to retain any personal data after an age check is completed, and if you don’t keep data, it can’t be lost or stolen.”

****Aging Out****

The practical realities of widespread age verification are messy, though. For one thing, sites and services may not comply with regulations. Ofcom, the UK regulator, says that it may issue fines to websites that do not put age checks in place. It already has 11 investigations open. Additionally, not all people have the proper ID or other documents to prove their age when signing up for sites.

“No solution to this is perfect,” says Rachel Coldicutt, the executive director of Careful Industries and a former Ofcom nonexecutive director. “Age verification assumes that all services and platforms that host harmful content are good and lawful actors and that devices don’t get shared. In lots of families, someone aged under 16 or 18 would easily be able to log in to a device that belongs to one of their parents, so unless age verification is required on every login to a site or app it would be quite easy to get access to age-restricted content by using an adult’s device.”

In general, too, many experts note that age verification is broadly unpopular. People feel uncomfortable scanning their face or handing over personal details to view content or participate in online discourse, especially when they are trying to use a service or view content that is intimate or otherwise personal in nature. As a result, age verification can have a chilling effect on speech and the free flow of information online.

And since people can use circumvention tools like VPNs to skirt national laws, there are limits to how effective these policies can be in isolation, which has the potential to tip off a sort of validation and surveillance arms race. There is often a spike in VPN interest when a country introduces new age-check laws.

“A critical point is that while these measures are intended to keep children safe from harmful content, my concern is that these measures will give parents and other members of the public a false sense of security,” says Given, the Australian academic. She adds that there should be greater government investment in education for young people, parents, and teachers about potential online harms, plus more support for people who use social media to access critical information.

As Stanford’s Pfefferkorn puts it, “Ultimately, age verification tech actually poses a risk to the kids it is supposed to protect. It chills their ability to access information, and it can put them at risk of privacy violations, identity theft, and other security issues.”

The Age-Checked Internet Has Arrived

Choosing a data annotation platform? Learn when to use SaaS or on premise based on speed, cost, data privacy, and project scope.

Choosing between an on-premises and SaaS data annotation platform affects more than just how you label data. It shapes your team’s workflow, budget, and ability to manage sensitive information. With AI models demanding ever-larger and more accurate datasets, selecting the right approach matters.

This article compares both options (on-premises and SaaS) and explains when each makes sense. You’ll also learn what to consider when evaluating a data labelling platform, whether you’re running an internal project or using an AI platform data labelling service.

****What Is a Data Annotation Platform?****

Before you choose between on-premises and SaaS, it helps to understand what a data annotation platform does and why the deployment model matters.

****Core Purpose of Data Annotation Tools****

A data annotation platform helps you label raw data so AI models can use it. This data can be text, images, video, or audio. Labels tell the model what the data means.

You’ll see these tools used in computer vision, such as object detection and facial recognition, as well as in natural language processing for tasks like sentiment analysis and chatbots. They are also applied in speech and audio recognition, as well as in robotics and autonomous vehicles.

Some teams still label data by hand. Many now use an automatic data labelling platform to save time and lower costs.

****Why Deployment Model Matters****

How you set up your platform for data labelling affects how you work with data. Here’s why it matters:

*   **Privacy.** Sensitive data (health, finance, government) often can’t leave your network.

*   **Set up speed.** SaaS tools work out of the box. On-premises takes longer to install.

*   **Cost.** On-premises platforms usually have a high upfront cost. SaaS spreads payments over time.

*   **Customization.** On-premises lets you tailor the tool to your needs. SaaS offers fewer options but is easier to manage.  
    

A flexible data annotation platform can support both simple and advanced needs. If your AI project has strict privacy rules or large datasets, your choice of platform becomes even more important.

****SaaS Data Annotation Platforms: Benefits and Limitations****

SaaS (Software as a Service) platforms are hosted by a provider and accessed through the cloud. You don’t manage the hardware or updates; the vendor handles that. This makes them popular for teams that need to move fast or lack in-house IT support.

****Key Advantages of SaaS Solutions****

SaaS data labelling platforms offer several benefits:

*   **Fast setup.** You can start labelling data in hours or days with no hardware needed.

*   **Automatic updates.** The provider keeps the software current, saving your team time.

*   **Easy scaling.** You can add more users or projects without new infrastructure.

*   **Lower upfront cost.** You pay a subscription fee, which spreads out your expenses.

*   **Remote collaboration.** Teams in different locations can work on the same platform.

Example: If your team is running a short-term AI project or a proof of concept, a SaaS data annotation platform helps you avoid setup delays.

****Typical Limitations of SaaS Tools****

SaaS comes with trade-offs:

*   **Data privacy.** Your data passes through the vendor’s cloud, which may be a problem in regulated industries.

*   **Limited customisation.** SaaS platforms offer pre-built features, but deep custom changes may not be possible.

*   **Ongoing costs.** Subscription fees add up, especially for large teams or long-term projects.

*   **Vendor reliance.** Your work depends on the vendor’s service uptime and support.

Before choosing a SaaS platform, consider whether your data can legally and safely be processed off-premise, how long your project will run, and how much customisation you require.

****On-Premise Data Annotation Platforms: Benefits and Limitations****

An on-premises data annotation platform runs on your own servers. Your team manages the hardware, software, and data. This gives you more control, but also more responsibility.

****Key Advantages of On-Premise Solutions****

On-premises data labelling platforms are a strong choice when:

*   **You need full data control.** Your data stays on your servers, which is key for privacy and compliance.

*   **Customisation matters.** You can adapt the platform to fit your tools, workflows, and security needs.

*   **You want predictable costs.** Many on-premises platforms use a one-time license fee, which avoids long-term subscriptions.

*   **You control availability.** Your platform isn’t tied to an outside vendor’s uptime.

For example, if you’re labelling sensitive health data or working under strict data protection laws, an on-premise platform gives you the control you need.

****Typical Limitations of On-Premise Tools****

On-premises deployment isn’t always the best fit:

*   **Complex setup.** It takes time and expertise to install and configure the system.

*   **Ongoing maintenance.** Your team must handle updates, security, and backups.

*   **Higher upfront cost.** Hardware, licenses, and setup can require a large initial investment.

*   **Longer deployment time.** It may take weeks or months to get the system fully running.

Before choosing an on-premise solution, consider whether your team has the technical skills to manage the platform, if you have strict data privacy or compliance requirements, and whether your project budget can handle the initial setup costs.

****Common Questions When Choosing a Platform****

When picking between an on-premises or SaaS data labelling platform, it helps to ask the right questions. Your answers will guide your decision and prevent costly mistakes.

****How Sensitive Is Your Data?****

Some data should never leave your network, such as patient records in healthcare, financial transactions, and classified government data. If your project involves sensitive data or strict compliance rules (GDPR, HIPAA, etc.), an on-premises platform for data labelling may be the safer choice.

****What Is Your Project Timeline?****

Speed matters. If you need to start labelling data tomorrow, a SaaS solution will get you there faster. If you’re building a long-term, high-control system, on-premise might be worth the wait. Consider when you need your first labelled dataset and whether the project will expand over time.

****What Is Your Budget?****

Costs break down differently: SaaS typically has a low upfront cost with ongoing subscription fees, while on-premise involves a high upfront cost but lower ongoing expenses. You should also consider hidden costs such as maintenance for on-premise solutions, data transfer or storage fees for SaaS, and the time required from IT staff. A simple cost of ownership analysis can help you compare options.

****How Many Users Will Access the Tool?****

If your labellers are spread across multiple locations or include external partners, SaaS platforms make collaboration easier. And if your team operates from a single secure site, an on-premise solution may offer the level of control you need.

****Conclusion****

Choosing between an on-premises or SaaS data annotation platform depends on your project’s needs. If speed, scalability, and ease of access matter most, a SaaS option works well. If your focus is on data privacy, customisation, or long-term control, on-premises is likely the better fit.

Take the time to weigh your priorities: security, budget, timeline, and team resources. The right platform for data labelling can help you build better AI models faster, with fewer risks and more control where it counts.

(Top, Featured Photo by Google DeepMind on Unsplash)

On-Premise vs SaaS Data Annotation Platforms Compared

New Scavenger Trojan steals crypto wallet data using fake game mods and browser flaws, targeting MetaMask, Exodus, Bitwarden, and other popular apps.

The latest report from Doctor Web has detailed a malware campaign involving a new family of trojans called Trojan.Scavenger (Scavenger Trojan). These aren’t your typical malicious files that simply run in the background and steal data; they’re carefully structured to abuse a vulnerability in how Windows loads certain components. The attackers used this to infect targeted systems and extract sensitive information, especially from crypto wallets and password managers.

It all started when Doctor Web looked into a targeted attack on a Russian enterprise. During the investigation, their team noticed the attackers were taking advantage of DLL Search Order Hijacking.

This method lets malicious files get into software by faking to be legitimate components. The trick is placing a fake DLL in the same folder as the target application, giving it priority over the real system version. Once launched, the fake file runs as if it were part of the original app, giving it access to everything the app can reach.

According to Doctor Web’s report, after adding protection against this technique to their antivirus suite, the company began collecting telemetry data. That’s when they noticed some users were being served unknown malicious files through their browsers.

This led the researchers to the discovery of the Trojan.Scavenger campaign. It later became clear that attackers were distributing this malware in multiple stages and using various bait methods like game patches and cheats to lure victims into running it.

One infection route used a three-stage loader chain. The first component, Trojan.Scavenger1, was disguised as a performance patch for the game Oblivion Remastered. Victims were instructed to drop the fake DLL into the game’s folder.

The file name was deliberately chosen to match a legitimate Windows DLL so it would get loaded instead of the real one. But in this specific game version, the exploit failed because the developers had properly configured the loading process. Still, the same trick could succeed in other programs.

Researchers further noted that when the Trojan does manage to run, it downloads the next stage, Trojan.Scavenger.2, which then pulls in additional modules, Trojan.Scavenger.3 and Trojan.Scavenger.4. One of these, Trojan.Scavenger.3, pretends to be a system library and gets placed into the folder of Chromium-based browsers like Chrome, Edge, Opera, and Yandex. Because of the loading flaw, the browser ends up running the malicious file instead of the real system version.

This version of the Trojan tampers with the browser’s internal security features. It disables the sandbox and blocks the check that verifies browser extensions. Then it edits copies of popular extensions, including the following:

*   Slush
*   Phantom
*   LastPass
*   MetaMask
*   Bitwarden

The originals remain untouched, but the browser is tricked into using the tampered versions. These altered versions are designed to silently send data, such as mnemonic phrases and stored passwords, to the attacker’s server.

Meanwhile, Trojan.Scavenger.4 similarly targets the Exodus crypto wallet. It gets loaded when the app starts, using the same DLL hijacking method. Once inside, it taps into the app’s engine to scan for key data like the mnemonic phrase and the file storing the private key. That information is then sent to the attacker.

In another version of the campaign, the attackers skip the first trojan and start directly with a modified Trojan.Scavenger.2. This one uses a file with an .ASI extension, often associated with game mods or plugins. For example, users might be told to install a file called “Enhanced Native Trainer.asi” into their GTA game folder. The game recognises it as a plugin and runs it automatically, allowing the infection chain to continue from there.

Across all versions of this malware, the trojans share some key behaviour patterns. They check if they’re being launched inside a virtual machine or debug environment and will stop working if they detect one. This is a common method used to avoid detection during security research.

Another shared feature is how they communicate with their control server. They use a two-step handshake to set up an encrypted channel, first asking for part of the encryption key, then verifying the connection by sending encrypted timestamps. Any requests sent without this setup are ignored by the server.

Doctor Web reached out to the software developers whose apps were vulnerable, but most of them declined to fix the DLL hijacking flaw. Therefore, users must exercise caution and avoid downloading apps from third-party stores, refrain from using pirated games and keep their anti-virus software updated.

Latest News