CERT-FR's advisory follows last month's disclosure of a zero-day flaw Apple said was used in "sophisticated" attacks against targeted individuals.

French Advisory Sheds Light on Apple Spyware Activity

A Stored cross-site scripting vulnerability in the Liferay Portal  7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-g8fh-pfw3-8rmr: Liferay Portal's selection modal is vulnerable to XSS

New SEO poisoning campaign exposed! FortiGuard Labs reveals how attackers trick users with fake websites to deliver Hiddengh0st…

New SEO poisoning campaign exposed! FortiGuard Labs reveals how attackers trick users with fake websites to deliver Hiddengh0st and Winos malware.

A new cyberattack campaign is preying on Chinese-speaking Windows users by manipulating search engine results. Fortinet’s research division, FortiGuard Labs, has just released its latest research blog revealing how attackers used a technique called SEO poisoning (manipulating malicious websites to appear at the top of search engine results) to trick people into downloading harmful software.

According to FortiGuard Lab’s blog post, the campaign was discovered in August 2025, in which attackers created fraudulent websites that looked almost identical to legitimate software providers and used special plugins to artificially boost these fake sites to the top of search rankings.

A visitor, thinking they were on a trusted site, would download what appeared to be a real application. However, “the installers contained both the legitimate application and the malicious payload, making it difficult for users to notice the infection,” researchers noted.

Spoofed site appears at the top in search results and fake websites (Source: Fortinet)

Once a user ran the installer, the malware launched a file that performed a series of checks. It was designed to be sneaky and would look for signs that it was being run in a research or sandbox environment rather than on a real person’s computer. If it detected it was in a lab setting, it would simply stop running immediately to avoid being discovered. This is a crucial detail for understanding the attackers’ methods.

These fake installers were designed to secretly install two types of malware: Hiddengh0st and Winos. Hiddengh0st is a tool that allows an attacker to remotely control a computer, while Winos is known for stealing valuable information. This stolen data can then be used for future cyberattacks. The severity of this campaign is classified as high due to the potential impact on victims.

Attack Flow (Source: Fortinet)

The attackers’ use of lookalike domains and small character substitutions (for example, replacing a letter “o” with the number “0”) was a key part of their deception. To ensure the malware stayed on the computer, it would modify system files and create new ones to launch automatically every time the computer was turned on. A previous example using fake websites in such an attack is: Google.com, not ɢoogle.com.

The research further revealed that the malware could steal a wide range of personal information, including data from cryptocurrency wallets like those for Tether and Ethereum. It was also observed to be capable of logging keystrokes and capturing what was copied to the clipboard. The attackers could then issue commands remotely, allowing them to fully control the infected computer.

FortiGuard Labs shared this research with Hackread.com, highlighting how quickly threats are evolving in the digital world. It’s always a good practice to be careful online and to always inspect a domain name carefully before downloading any software.

SEO Poisoning Attack Hits Windows Users With Hiddengh0st and Winos Malware

Agentic and AI browsers are here: What are they? Which ones are there? How can they help me? Are they safe to use?

Browsers like Chrome, Edge, and Firefox are our traditional gateway to the internet. But lately, we have seen a new generation of browsers emerge. These are AI-powered browsers or “agentic browsers”—which are not to be confused with your regular browsers that have just AI-powered plugins bolted on.

It might be better not to compare them to traditional browsers but look at them as personal assistants that perform online tasks for you. Embedded within the browser with no additional downloads needed, these assistants can download, summarize, automate tasks, or even make decisions on your behalf.

**Which AI browsers are out there?**

AI browsers are on the way. While I realize that this list will age quickly and probably badly, this is what is popular at the time of writing. These all have their specialties and weaknesses.

*   **Dia browser****:** An AI-first browser where the URL bar doubles as a chat interface with the AI. It summarizes tabs, drafts text in your style, helps with shopping, and automates multi-step tasks without coding. It’s currently in beta and only available for Apple macOS 14+ with M1 chips or later and specifically designed for research, writing, and automation.
*   **Fellou****:** Called the first agentic browser, it automates workflows like deep research, report generation, and multi-step web tasks, acting proactively rather than just reactively helping you browse. It’s very useful for researchers and reporters.
*   **Comet****:** Developed by Perplexity.ai, Comet is a Chromium-based standalone AI browser. Comet treats browsing as a conversation, answering questions about pages, comparing content, and automating tasks like shopping or bookings. It aims to reduce tab overload and supports integration with apps like Gmail and Google Calendar.
*   **Sigma browser****:** Privacy-conscious with end-to-end encryption. It combines AI tools for conversational assistance, summarization, and content generation, with features like ad-blocking and phishing protection.
*   **Opera Neon**: More experimental or niche, focused on AI-assisted tab management, workflows, and creative file management. Compared to the other browsers on this list, its AI features are limited.

These browsers offer various mixes of AI that can chat with you, automate tasks, summarize content, or organize your workflow better than traditional browsers ever could.

For those interested in a more technical evaluation, you can have a look at Mind2Web, which is a dataset for developing and evaluating generalist agents for the web that can follow language instructions to complete complex tasks on any website.

**How are agentic browsers different from regular browsers?**

Regular browsers mostly just show you websites. You determine what to search for, where to navigate, what links to click, and maybe choose what extensions to download for added features. AI browsers embed AI agents directly into this experience:

*   Conversational interface: Instead of just searching or typing URLs, you can _talk_ or type natural language commands to the browser. For example, “Summarize these open tabs,” or “Add this product to my cart.”
*   Task automation: They don’t just assist, they act autonomously to execute complex multi-step tasks across sites—booking flights, researching topics, compiling reports, or managing your tabs.
*   Context awareness: AI browsers remember what you’re looking at in tabs or open apps and can synthesize information across them, providing a kind of continuous memory that helps cut through the clutter.
*   Built-in privacy and security features: Some integrate robust encryption, ad blockers, and phishing protection aligned with their AI capabilities.
*   Integrated AI tools: Text generation, summarization, translation, and workflow management are part of the browser, not separate plugins.

This means less manual juggling, fewer tabs, and a more proactive digital assistant built into the browser itself.

**Are AI browsers safe to use?**

With great AI power comes great responsibility, and risk. So, it’s important to consider the security and privacy implications if you decide to start using an AI browser and when to decide which one.

There are certain security wins. AI browsers tend to integrate anti-phishing tools, malware blocking, and sandboxing, sometimes surpassing traditional browsers in protecting users against web threats. For example, Sigma’s AI browser employs end-to-end encryption and compliance with global data regulations.

However, due to their advanced AI functionality and sometimes early-stage software status, AI browsers can be more complex and still evolving, which may introduce vulnerabilities or bugs. Some are invite-only or in beta, which limits exposure but also reduces maturity.

Privacy is another key concern. Many AI browsers process your data locally or encrypt it to protect user information, but some features may still require cloud-based AI processing. This means your browsing context or personal information could be transmitted to third parties, depending on the browser’s architecture and privacy policy. And, as browsing activity is key to many of the browser’s AI features, a user’s visited web sites—and perhaps even the words displayed on those websites—could be read and processed, even in a limited way, by the browser.

Consumers should carefully review each AI browser’s privacy documentation and look for features like local data encryption, minimal data logging, user consent for data sharing, and transparency about AI data usage.

As a result, choosing AI browsers from trusted developers with transparent privacy policies is crucial, especially if you let them handle sensitive information.

**When are AI browsers useful, and when is it better to avoid them?**

Given the early stages of development, we would recommend not using AI browsers, unless you understand what you’re doing and the risks involved.

When to use AI browsers:

*   If productivity and automation in browsing are priorities, such as during deep research, writing, or complex workflows.
*   When you want to cut down manual multitasking and tab overload with an AI that can help you summarize, fetch related information, and automate data processing.
*   For creative projects that require AI assistance directly in the browsing environment.
*   When privacy-centric options are selected and trusted.

When to avoid or be cautious:

*   If you handle highly sensitive data—including workplace data—and the browser’s privacy stance is unclear.
*   There will be concerns about early-stage software bugs or untested security.
*   When minimalism, speed, control, and simplicity are preferred over complex AI-driven features.
*   If your choice is limited it may be better to wait. Some AI browsers still focus on macOS or are limited to other platforms.

In essence, AI and agentic browsers are transformative tools meant to augment human browsing with AI intelligence but are best paired with an understanding of their platform maturity and privacy implications.

It is also good to understand that using them will come with a learning curve and that research into their vulnerabilities, although only scratching the surface has uncovered some serious security concerns. Specifically on how it’s possible to deliver prompt injection. Several researchers and security analysts have documented successful prompt injection methods targeting AI browsers and agentic browsing agents. Their reliance on dynamic content, tool execution, and user-provided data exposes AI browsers to a broad attack surface.

AI browsers are poised to redefine how we surf the web, blending browsing with intelligent assistance for a more productive and tailored experience. Like all new tech, choosing the right browser depends on balancing the promise of smart automation with careful security and privacy choices.

For cybersecurity-conscious users, experimenting with AI browsers like Sigma or Comet while keeping a standard browser for your day-to-day is a recommended strategy.

The future of web browsing is here. Browsers built on AI agents that think, act, and assist the user are available. But whether you and the current state of development are ready for it, is a decision only you can make.

Questions? Post them in the comments and I’ll add a FAQ section which answers those we know how.

 AI browsers or agentic browsers: a look at the future of web surfing 

We often don’t find out the real details of a scam, and how one ‘like’ can turn into a nightmare that controls someone’s life for many years. This is that story.

We hear so often about people falling for scams and losing money. But we often don’t find out the real details of what happened, and how one “like” can turn into a nightmare that controls someone’s life for many years. This is that story.

Not too long ago, a scam victim named Karen reached out to me, asking for help. It’s a story that may seem unbelievable to some, but it happens more often than you think.

Karen tells us about the initial hook:

> “My story started on January 1, 2020, when a man called Charles Hillary ‘liked’ something that I shared on the exercise app Fitbit. He kept on reaching out instead of just liking and moving on like most people do.“

It wasn’t long until “Charles” asked Karen if she wanted to move their chats to Google Hangouts. Karen used Google Hangouts at work so it didn’t seem like a strange request.

But moving a conversation to a more secure environment is not something scammers do for convenience. They do it to reduce the chance of anyone listening in on their conversation or finding out their identity.

Karen was slightly suspicious about when she would get messages from Charles, given that he had told her he was from Atlanta, Georgia.

> “Every time he messaged me, I would receive it around 2am, so I asked him where he was. He responded and said he was on a contract job with Diamond Offshore Drilling in Ireland. I later found that not to be true.”

As it happens, Ireland is in the same time zone as West Africa Time (WAT), which is used in countries like Gabon, Congo, and Nigeria.

In late January, after Karen and Charles had been talking for almost a month, he asked her for some help.

Charles said he had lent his friend, also in the oil drilling business, a lot of money. His friend had paid him back, he said, but had left it in a box with a security company, Damag Security.

> “He said the security company was closing and needed him to get his ‘box.’ He asked me to be the recipient and I asked him lots of questions but ultimately agreed since it would not cost me anything and I could place it in his bank at my local branch of Bank of America.”

Charles showed Karen the documentation:

Once a scammer has found an angle and the victim is invested, the costs will typically grow in number and in size.

> “This is when the nightmare began. The box immediately cost me $3900 for shipping.”

After that, Karen was asked by the security for money for various forms. Charles told her all forms should have been secured when the money was placed with the security company.

> “He played innocent through it all.”

The forms were expensive and ranged from $25,000 to around $60,000. Karen asked them to reduce the price and they did, so she paid.

Charles gave Karen several separate reasons as to why he wasn’t able to get the money himself:

*   His bank account had been frozen due to money laundering.
*   His ex-wife had taken a lot of his money so he froze his account until he could return in person.
*   He had illegally done oil drilling in Russian waters and made a lot of money—also in the box—and could not let anyone find out about it or he would go to prison.

It all does sound far-fetched, and it’s easy to read this and say you’d never get caught by something like this. However, Karen is a well-educated person who was manipulated into paying large sums of money. Scams can catch anyone out.

Karen realised something wasn’t right and that she was being scammed, so she filed a police report at her local Sheriff’s Office, along with the FBI, TBI, IC3 and the Better Business Bureau.

The local investigator found nothing on Charles Hillary. Worse, the damage was already done: Karen’s credit was bad, her finances in a mess, and nobody except for one friend and a co-worker knew.

> “At this point, I owed about $65,000—some was a Discover loan, some were cash advances and some on credit cards…all in my name alone.”

The box scam continued until December 2020 until the scammer decided to change tactics.

Scammer threats, while scary, are typically empty. But how can a victim be sure of that? Karen tells us about the most recent threats the scammer made:

> “The most recent threat was to my son’s wedding. He said the Russians had hired hit men in the United States to create a blood bath. He sent me the wedding invite to prove he knew who, where, and when. Nothing happened but he is still emailing me daily.”

The scammer started using a second, more supportive, persona. As an example of how this second persona was used, this bizarre, less aggressive email came after the threats to disrupt the wedding (all sic):

> “I woke up with sadness in my spirit due to the recent threats against your children …
> 
> I have about $2500 in my wallet and if you can send the balance today that would be great so we can end this immediately instead of waiting for your son wedding to become a disaster or endangering his guess. I am willing to assist with $2500 if you can come up with the balance today and also the board will be in an agreement to prevent any future harm against your children. Get back to me as soon as possible.”

This persona expresses concern and sadness about the threats against the victim’s children and criticizes “Hillary” for continuing the threats. This dual-role tactic is a classic psychological manipulation technique often used in scams:

*   The victim feels fear and urgency from the threat.
*   Then they feel relief and trust from the “helper” who appears to be on their side.
*   This builds rapport and pressure to comply with demands.
*   The combination makes the victim feel psychologically cornered, pushing them to do things which they’d normally consider irrational.

**Our investigation**

An analysis of the language and style of the emails from the two personae shows it’s very likely the same person or same group of people working from the same script.

Many of the Gmail addresses the scammer used were removed after complaints to Google, but it’s trivial to set up a new one. Google did tell Karen that at least some of the accounts were set up from Nigeria.

Our own analysis of the headers of some recent emails didn’t reveal much useful information, unfortunately.

****Email authentication and origin:****

*   The email was sent from the Gmail server (mail-sor-f41.google.com) with IP 209.85.220.41, which is a legitimate Google mail server IP.
*   SPF, DKIM, and DMARC authentication all passed successfully for the domain gmail.com and the sending addresses charleshillary\*\*\*\*@gmail.com and cortneymalander\*\*\*@gmail.com. This means the emails were indeed sent through Google’s infrastructure and the sender address was not spoofed at the SMTP level.
*   ARC (Authenticated Received Chain) signatures are present but show no chain validation (cv=none), which is typical for a first hop.
*   The Return-Path and From address match, which is a clear sign that the envelope sender and header sender are consistent.

Conclusion: The sender’s Gmail accounts were likely compromised or set up for this scam, rather than the email being forged or spoofed at the server level. Looking at the list of past email addresses, we are pretty sure that all of them were created specifically for this scam.

We also followed up on some wire transfers that Karen made to pay the scammer, but we found that the receivers were scam victims as well, which the scammers used as money mules. The receivers of the wires were instructed to collect the money and put it in a Bitcoin wallet. Most of Karen’s payments went directly into those wallets.

We’ve advised Karen to ignore the scammers and not even open their emails anymore. At some point they will give up and turn their attention to other victims. Meanwhile, Karen will have to keep working two jobs as she has a remaining $20,000 debt.

Even after a month of not replying, Karen reports that she still receives emails from the scammer. They haven’t given up on extracting more money out of her. Her exhaustion and isolation showed in this reply to me:

> “Appreciate your help so much. Wish I had found you a long time ago. Could have saved me money, 2nd jobs and a marriage from nearly going under. The devastation they cause is real.
> 
> This is what I daily beat myself up over. I saw the signs of scam. I was told it was scam, but they make it so dang real that I could not wrap my head around it being anything but truth. I looked for any and every sign of them stepping all over each other in their stories but never did until about two or so months ago.”

**How to tell if you’re talking to a scammer**

A few things that should have warned Karen:

*   The person that contacted you on one platform now wants to move to a different platform. Whether that is WhatsApp, Signal, Telegram, or as in Karen’s case, Google Hangouts. For a scammer this is not a matter of convenience, but of staying under the radar.
*   Time zones don’t match up. Based on their activity, you can make a rough guess about the time zone the person you are communicating with is in. Check if that matches their story. In Karen’s case the scammer picked Ireland which is very likely their actual time zone but given their use of the English language, not their actual location.
*   Dodgy paperwork. The documents Karen received would not have survived any legal or professional scrutiny. But since Karen was too embarrassed to tell anyone what she was involved in, she didn’t get a second opinion on the papers.
*   A second person starts messaging. Granted that the scammers had a decently thought out script, linguistic analysis would have shown Karen that the two separate personas were one and the same person with a very high accuracy.

If you feel like you might be talking to a scammer, **STOP** and think of the following tips:

1.  **S**low down: Don’t let urgency or pressure push you to take action.
2.  **T**est them: Ask questions they should know the answer to, especially if you think they are posing as someone you know
3.  **O**pt out – Don’t be afraid to end the conversation.
4.  **P**rove it – If any companies are involved, confirm the request by contacting the company through a verified, trusted channel like an official website or method you’ve used in the past.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 From Fitbit to financial despair: How one woman lost her life savings and more to a scammer 

Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks.
The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution.
"Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to

Vulnerability / Mobile Security

Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks.

The vulnerability, **CVE-2025-21043** (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution.

"Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code," Samsung said in an advisory. "The patch fixed the incorrect implementation."

According to a 2020 report from Google Project Zero, libimagecodec.quram.so is a closed-source image parsing library developed by Quramsoft that implements support for various image formats.

The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025.

Samsung did not share any specifics on how the vulnerability is being exploited in attacks and who may be behind these efforts. However, it acknowledged that "an exploit for this issue has existed in the wild."

The development comes shortly after Google said it resolved two security flaws in Android (CVE-2025-38352 and CVE-2025-48543) that it said have been exploited in targeted attacks.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR).
The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR).

The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks.

The agency did not share further details on what triggered these alerts. Previous threat notifications were sent on March 5, April 29, and June 25. Apple has been sending these notices since November 2021.

"These complex attacks target individuals for their status or function: journalists, lawyers, activists, politicians, senior officials, members of steering committees of strategic sectors, etc," CERT-FR said.

The development comes less than a month after it emerged that a security flaw in WhatsApp (CVE-2025-55177, CVSS score: 5.4) was chained with an Apple iOS bug (CVE-2025-43300, CVSS score: 8.8) as part of zero-click attacks.

WhatsApp subsequently told The Hacker News that it had sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. It's not known who, and which commercial spyware vendor, is behind the activity.

The disclosure comes as Apple has introduced a security feature in the latest iPhone models called Memory Integrity Enforcement (MIE) to combat memory corruption vulnerabilities and make it harder for surveillance vendors, who typically rely on such zero-days for planting spyware on a target's phone.

In a report published this week, the Atlantic Council said the number of United States investors in spyware and surveillance technologies jumped from 11 in 2023 to 31 last year, surpassing other major investing countries such as Israel, Italy, and the United Kingdom.

Altogether, the study has flagged two holding companies, 55 individuals, 34 investors, eighteen partners, seven subsidiaries, 10 suppliers, and four vendors that established themselves in the last year in the spyware marketplace. This includes new spyware entities in Japan, Malaysia, and Panama, as well as vendors like Israel's Bindecy and Italy's SIO.

"The quantity of U.S.-based entities investing in the spyware market is three times greater than in the next three highest countries with the most investors," the report said, adding "56% of investors are incorporated in Israel, the United States, Italy, and the United Kingdom."

"Tesellers and brokers now are key actors in the spyware market – comprising more sample market share than previously demonstrated – and oftentimes are under-observed and not readily addressed in current policy deliberations."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms

Authorities have named Tyler Robinson as a suspect in the murder of right-wing influencer Charlie Kirk, citing Discord messages as evidence of his alleged role.

The manhunt for the shooter who killed conservative activist Charlie Kirk ended Friday with a suspect taken into custody, authorities said.

Utah’s Department of Public Safety and the FBI confirmed the arrest during a morning briefing, capping a two-day search that began after the 31-year-old podcaster and Turning Point USA cofounder was fatally shot at Utah Valley University in Orem, Utah, on Wednesday.

Authorities identified the suspect as 22-year-old Tyler Robinson of Washington, Utah, after receiving a tip from a friend of Robinson’s family. Officials said the tip came late Thursday night, prompting agents to move quickly to locate and arrest him. A $100,000 reward for information leading to the identification and arrest of the shooter was announced Thursday.

President Donald Trump first announced the arrest in a live interview on Fox News, claiming, “With a high degree of certainty, we have him.”

At a press briefing Friday, Utah governor Spencer Cox announced Robinson had been arrested in the early hours of September 12 after a family member reached out to a family friend, who contacted authorities. The friend told investigators that Robinson had hinted at his involvement in the shooting. The tip was relayed through local law enforcement to the FBI and Utah county investigators, who matched Robinson’s gray Dodge Challenger and clothing to campus surveillance footage from the day of the shooting. A family member also told investigators that Robinson spoke critically of Kirk.

Cox said Robinson’s roommate also cooperated, showing investigators Discord messages in which Robinson discussed retrieving and hiding a rifle, leaving it wrapped in a towel, monitoring the drop site, and engraving bullets.

Later on Friday, Discord told NBC News in a statement that the company “identified a Discord account associated with the suspect,” which Discord has now removed. However, the company said the discussion Cox cited did not involve that account.

“The messages referenced in recent reporting about planning details do not appear to be Discord messages,” a Discord spokesperson told NBC News. “These were communications between the suspect’s roommate and a friend after the shooting, where the roommate was recounting the contents of a note the suspect had left elsewhere.”

FBI director Kash Patel outlined the bureau’s role in the investigation, stressing the speed of the response and coordination with Utah authorities. He said agents arrived on scene within 16 minutes of the shooting, secured the area alongside local police, and quickly began moving evidence to FBI labs in Quantico for analysis. “The FBI and our partners are proud to stand here today together to bring justice to the family of Charlie Kirk and honor his memory,” he said.

Patel closed his remarks with a brief eulogy for Kirk, saying, “I’ll see you in Valhalla.”

Beyond the Discord account mentioned by Cox, Robinson appears to have had virtually no online footprint that could be immediately identified in public or private databases. Internet users produced images they claimed came from family photo albums posted online, but the accounts of his immediate family members were shut down quickly, and these images couldn't be verified; none pointed to any obvious motive or ideology.

In a statement, Utah State University confirmed that Robinson briefly attended the school for one semester in 2021.

Investigators recovered a Mauser .30-caliber hunting rifle near the scene of the shooting, allegedly abandoned by the gunman as he fled into a wooded area. A spent round was found in the chamber, with three live cartridges in the magazine. Cox said Friday that the casings bore engraved inscriptions. They reportedly include memes to crude jokes, such as “if you read this, you are gay. LMAO.”

Authorities say the shooter fired from a rooftop overlooking a courtyard where Kirk was hosting one of his trademark “prove me wrong” campus debates. Widely shared footage online shows Kirk addressing a question on mass shootings when a bullet suddenly strikes him in the neck.

Roughly 3,000 people are estimated to have been in attendance. Millions more were confronted by gruesome footage of the incident online, in some cases autoplaying across major platforms like TikTok, Instagram, and X, where researchers say efforts to combat the spread of violent content have broadly declined.

The investigation unfolded at a moment when the FBI was already under fire. In recent weeks, the bureau has endured sweeping dismissals of senior and mid-level agents, moves alleged in a lawsuit this week to be politically motivated purges. The shake-ups are said to have sapped institutional knowledge and morale, signaling to agents that defying political directives could cost them their careers.

The days after the shooting were marked by confusion. Within hours, state and federal officials issued conflicting accounts of whether anyone had been detained. The FBI’s Patel briefly announced that a “subject” was in custody, only to later announce that the person had been released. Scrapped press conferences and uneven briefings fueled further uncertainty, with rampant speculation on TV news and social media rushing to fill the gaps in credible information.

Far-right influencers and extremist groups took to posting the personal details of people they accused of celebrating Kirk’s death, triggering harassment campaigns and death threats. Within hours of the shooting, a website began compiling names, social media handles, and employers of accused offenders.

That atmosphere grew even darker on Thursday, when the Democratic National Committee’s headquarters in Washington, DC, was briefly locked down over a bomb threat, which Capitol Police later deemed not credible. More than a dozen historically Black colleges and universities received hoax threats that forced lockdowns and class cancellations across several campuses.

Patel defended the FBI’s investigation during Friday’s press conference, saying it took “less than 36 hours—33 hours, in fact” for authorities to arrest Robinson. “This is what happens when you let good cops be cops,” Patel said.

FBI communications reviewed by WIRED show that agents had previously flagged Kirk’s events as potential flash points. In an April 2021 email, first obtained by the nonprofit Property of the People via public records request, a member of a Seattle-based FBI intelligence group is shown alerting other agents to Kirk’s appearances in Washington state. The events are listed among others flagged for having the potential to “lead to political violence.”

_Updated 3 pm ET, September 12, 2025: Added comment from Discord regarding messages related to the shooting._

Charlie Kirk Shooting Suspect Identified as 22-Year-Old Utah Man

Together, we can foster a culture of collaboration and vigilance, ensuring that we are not just waiting for a hero to save us, but actively working to protect ourselves and our communities.

Without Federal Help, Cyber Defense Is Up to the Rest of Us

The US Transportation Department reportedly warns that solar-powered devices used in highway infrastructure have undocumented radios. Is the risk real?

Latest News