Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.

This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.

It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.

****Two Botnets, One Goal****

The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.

The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.

These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here_._ These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.

The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”

****Beyond Wazuh: Other Exploited Flaws****

While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.

Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.

Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.

Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools…

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools by malicious groups from countries like China, Russia, North Korea, and Iran.

In a new report released earlier this week, OpenAI announced it has successfully shut down ten major networks in just three months, demonstrating its commitment to combating online threats.

The report highlights how bad actors are using AI to create convincing online deceptions. For instance, groups connected to China used AI to post mass fake comments and articles on platforms like TikTok and X, pretending to be real users in a campaign called Sneer Review.

This included a false video accusing Pakistani activist Mahrang Baloch of appearing in a pornographic film. They also used AI to generate content for polarizing discussions within the US, including creating fake profiles of US veterans to influence debates on topics like tariffs, in an operation named Uncle Spam.

North Korean actors, on the other hand, crafted fake resumes and job applications using AI. They sought remote IT jobs globally, likely to steal data. Meanwhile, Russian groups employed AI to develop dangerous software and plan cyberattacks, with one operation, ScopeCreep, focusing on creating malware designed to steal information and hide from detection.

An Iranian group, STORM-2035 (aka APT42, Imperial Kitten and TA456), repeatedly used AI to generate tweets in Spanish and English about US immigration, Scottish independence, and other sensitive political issues. They created fake social media accounts, often with obscured profile pictures, to appear as local residents.

AI is also being used in widespread scams. In one notable case, an operation likely based in Cambodia, dubbed Wrong Number, used AI to translate messages for a task scam. This scheme promised high pay for simple online activities, like liking social media posts.

The scam followed a clear pattern: a “ping” (cold contact) offering high wages, a “zing” (building trust and excitement with fake earnings), and finally, a “sting” (demanding money from victims for supposed larger rewards). These scams operated across multiple languages, including English, Spanish, and German, directing victims to apps like WhatsApp and Telegram.

OpenAI actively detects and bans accounts involved in these activities, using AI as a ‘force multiplier’ for its investigative teams, the company claims. This proactive approach often means many of these malicious campaigns achieved little authentic engagement or limited real-world impact before being shut down.

Adding to its fight against AI misuse, OpenAI is also facing a significant legal challenge regarding user privacy. On May 13, a US court, led by Judge Ona T. Wang, ordered OpenAI to preserve ChatGPT conversations.

This order stems from a copyright infringement lawsuit filed by The New York Times and other publishers, who allege OpenAI unlawfully used millions of their copyrighted articles to train its AI models. They argue that ChatGPT’s ability to reproduce, summarize, or mimic their content without permission or compensation threatens their business model.

OpenAI has protested this order, stating it forces the company to go against its commitment to user privacy and control. The company highlighted that users often share sensitive personal information in chats, expecting it to be deleted or remain private. This legal demand creates a complex challenge for OpenAI.

OpenAI Shuts Down 10 Malicious AI Ops Linked to China, Russia, Iran, N. Korea

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing attackers abuse TLDs like .li, .es, and .dev to hide redirects, steal credentials, and bypass detection. See top domains flagged by ANY.RUN in 2025.

Some phishing sites don’t need fancy tricks, just the right domain name. And you won’t always spot it until it’s too late.

Hackers have become masters at abusing certain Top-Level Domains (TLDs), like .com, .ru, or .dev, to host phishing pages, fake login portals, or malware redirects. While many TLDs are used for legitimate purposes, others are repeatedly exploited to trick users into handing over sensitive information.

Recent sandbox data from ANY.RUN highlights the **20 TLDs most frequently used in phishing campaigns** in 2025. These domains are central to fake delivery scams, credential harvesting pages, and multi-stage redirect chains.

****Which TLD is the Most Abused by Attackers?****

According to ANY.RUN’s 2025 data, the **.li** domain ranks #1 in phishing abuse by ratio. An alarming **57%** of observed .li domains were flagged as malicious. But here’s the twist: many of them don’t host phishing content directly. Instead, .li is widely used as a **redirector;** a middleman that sends unsuspecting users to fake login pages, malware downloads, or credential harvesting sites.

These indirect roles in phishing chains often go unnoticed by detection tools, making .li a quiet but dangerous enabler in many attacks.

Top 20 phishing TLDs observed inside ANY.RUN sandbox analysis sessions

For instance, in this ANY.RUN analysis session, we see a .li domain in action. At first glance, it seems harmless. 

View analysis session

.li domain observed inside the interactive sandbox

As soon as it loads, the browser is quietly redirected from the .li domain to a .com version of the same name, maintaining a sense of legitimacy before finally landing on a phishing page tied to a crypto-mining scam. 

There’s no flashy malware or obvious warning sign, just a quick, invisible switch that hands the user over to an attacker-controlled site.

Phishing page detected by ANY.RUN sandbox

This kind of redirection tactic makes .li especially slippery. But it can be easily spotted inside the ANY.RUN sandbox, where analysts can **trace every redirection in real-time**, uncover hidden phishing paths, and extract critical IOCs before users ever click the link. Because the malicious content often lives one hop away, tools that rely only on domain blacklists or static scans frequently miss it.

Gain control over phishing investigations with full redirection paths, behaviour traces, and real-time analysis. Start analyzing with ANY.RUN.

****Other Commonly Abused TLDs in Phishing Campaigns****

While .li tops the list by ratio, it’s far from the only domain zone being misused by attackers. Several others stand out due to the **high frequency and recurring use in phishing campaigns**.

****.es: Fake Logins and Delivery Scams****

.es, Spain’s country code TLD, has become a popular choice for attackers running credential phishing and fake delivery scams. Phishing pages using .es often mimic familiar services like Microsoft 365 or postal couriers, tricking users into entering their login credentials or payment information. The domains feel local and trustworthy, making them especially dangerous for Spanish-speaking users.

Phishing attack using fake Microsoft attack with .es domain

****.sbs: Cheap Domains for Credential Harvesting****

Because .sbs domains are incredibly cheap to register, attackers use them for quick-hit phishing campaigns. These domains often host fake tracking pages, urgent payment requests, or impersonate corporate portals, each crafted to steal login details or credit card numbers. The low barrier to entry makes .sbs a go-to for disposable phishing infrastructure.

Malicious activity with .sbs domain detected by ANY.RUN

****.cfd: Frequently Used in Phishing Kits****

Another budget TLD, .cfd shows up often in phishing kits posing as document sharing or government portals. These sites may appear to be PDF viewers or tax forms but are designed to harvest sensitive information, usually corporate credentials or ID data.

Since the branding is generic and the sites are throwaway, attackers can spin them up in bulk.

Phishing attack with .cfd domain observed inside interactive sandbox

****.ru: Familiar-Looking but Malicious****

Despite being a legitimate country-code domain, .ru remains a common sight in malicious campaigns. Many phishing actors use it to lend a sense of credibility, especially when targeting users in or near Russia. It’s frequently used to host fake login forms or distribute malware disguised as software downloads.

.ru domain with a fake Microsoft login page detected by ANY.RUN

****.dev: Abused via Trusted Platforms****

.dev domains are often tied to Google’s hosting services, such as pages.dev and workers.dev, giving them an automatic layer of legitimacy through HTTPS and clean interfaces. Phishing pages hosted here can look polished and professional, making them harder to distinguish from real services, even for tech-savvy users. This makes .dev a powerful tool for impersonating SaaS platforms or cloud services.

Workers.dev abused by attackers

****The Fastest Way to Uncover Phishing Threats****

Interactive sandboxes like ANY.RUN allows security teams to safely detonate suspicious URLs, monitor real-time redirections, and expose phishing behaviour as it unfolds. With verdicts in under 40 seconds, analysts can quickly understand whether a domain is benign, malicious, or part of a broader campaign.

Key benefits for SOC teams:

*   **Trace full redirect chains** – Follow every jump, even when the initial domain appears harmless or masked behind a short link.
*   **Uncover phishing kits, credential stealers, and scam pages** – See phishing behaviour in action, including form captures, fake login flows, and injected scripts.
*   **Extract IOCs and artefacts automatically** – Get domain names, URLs, IPs, dropped files, and more without manual digging.
*   **Reduce investigation time and false positives** – Use behaviour-based verdicts to make faster, more confident decisions.
*   **Inspect phishing pages across platforms** – Identify threats targeting Windows, Android, Linux, and web environments from a single interface.
*   **Simulate real user behaviour** – Interact with phishing pages to trigger hidden actions like redirects, pop-ups, or fake login prompts.
*   **Generate shareable reports instantly** – Export evidence and IOC-rich reports for incident response, team handoffs, or client notifications.

20 Top-Level Domain Names Abused by Hackers in Phishing Attacks

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London…

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London trial. Stability AI calls the lawsuit an “overt threat” to the generative AI industry.

London’s High Court began hearing a major legal case on June 9, 2025, involving Getty Images and Stability AI. This highly anticipated trial, expected to last three weeks, is being called “the most significant case to reach the High Court” by leading intellectual property lawyers.

****The Dispute****

At the heart of the case is Getty Images’ accusation that Stability AI, a London-based developer of generative AI systems, illegally collected millions of Getty’s copyrighted images without permission, hence breaching copyright laws.

Getty, a prominent visual media company and stock photography licensor, alleges that Stability AI copied and altered content from its website, gathered via the LAION-5B dataset, which includes billions of image-text pairs scraped from various websites including Getty’s, to train its Stable Diffusion model. This model can create new, synthetic images based on user commands.

Getty points to Stability AI’s UK presence and English-language website as evidence of targeting UK users, arguing that Stability altered its content by adding noise and creating further copies during the decoding process for training, all without consent.

Additionally, Getty claims that not just images created by Stable Diffusion copied significant portions of their copyrighted content, these sometimes even displayed Getty’s watermarks. They also allege that if users provide Getty images as prompts, the AI’s output can be almost identical.

This landmark case extends beyond just copyright. Getty also alleges trademark infringement and database rights infringement. They claim Stability AI used Getty’s registered trademarks, “GETTY IMAGES” and “ISTOCK” in both the training data and the generated outputs.

****Stability AI’s Counter Claims:****

Stability admits using some Getty images for training but argues the training happened outside the UK. It denies infringement, stating that it didn’t use Getty’s trademarks in the course of trade and its generated images don’t use Getty’s copyrighted works, so, any similarities are accidental since users are responsible for any copying, not the platform itself.

Additionally, Getty’s claim that Stability AI unlawfully extracted and reused a significant portion of its database content for AI training, is challenged by questioning the validity of Getty’s asserted database rights.

Stability lawyer Hugo Cuddigan states that Getty’s lawsuit is “an overt threat” to its business and the broader generative AI industry. Its spokesperson claims that artists using their tools are creating works based on “collective human knowledge,” which aligns with “fair use and freedom of expression.”

However, Lindsay Lane, Getty Images’ lawyer, clarified that their case is not against technology but against the use of copyrighted works “without payment,” asserting that AI and creative industries can coexist.

****Impact on AI and Creativity****

This case has emerged at a time when creative industries are grappling with the implications of AI models trained on existing copyrighted material. Legal experts believe this case is expected to deliver one of the first substantive judgments in the global wave of AI-related intellectual property disputes.

Legal expert Iain Connor, an intellectual property partner at Michelmores LLP, shared his comment with Hackread.com, emphasizing the case’s importance in setting boundaries for copyright in the AI era.

“This is the most significant AI case to reach the English High Court. The legal community is waiting with bated breath to see how far the judgment will go to rule on the legality or otherwise of the use of AI models.”

“The case is much more nuanced than ‘big tech vs creative industries’ and the legal arguments are even more nuanced as one of the big issues to be determined is ‘where did the ingestion of information which allegedly infringes Getty Images take place?” added Iain.

“The judge may take the opportunity to rule widely on the lawfulness of AI’s use of ‘input materials” and whether “AI output” infringes third-party rights,” he explained. _“_Alternatively, the decision could be a damp squib and deal with the case on the narrow jurisdictional issue of where Stability AI trained its AI model which, if outside the UK, could leave us without a meaningful verdict.”

Getty Images Sues Stability AI for Using Its Photos to Train AI Models

Explore how learning management systems (LMS) software supports safe online learning, protects employee data, and ensures compliance in…

Explore how learning management systems (LMS) software supports safe online learning, protects employee data, and ensures compliance in corporate training. 

Online training has taken off these days, particularly with the popularity of remote and hybrid work settings. The 2024 Training Industry Report shows that 34% of small businesses and 36% of larger organizations are now maximizing virtual or computer-based methods to train and enhance their teams. The transition to online learning has sped up significantly, completely changing how companies nurture their talent. (1)  

This article explains how modern LMS software supports secure employee learning and what features businesses should prioritize when selecting a platform.  

****Why Secure Online Learning Matters**  **

If you’ve ever handled employee records, certifications, or internal training materials, you already know the risks of exposing these pieces of information. Data breaches and unauthorized access are real threats that can cost you dearly. Even a single and minor security breach can lead to legal penalties, damage your reputation, and worst of all, lose the trust of your employees and clients.  

The stakes are even higher for global organizations. Privacy laws like GDPR have strict guidelines on how personal data should be handled, and failing to observe them can lead to fines of up to 4% of your annual revenue. (2)  

According to TalentLMS, a secure LMS software provider since 2012, LMS must provide features like encryption, access controls, and audit trails. All these are designed to help organizations meet regulatory requirements while keeping sensitive information safe.

****How LMS Software Supports Security**  **

Modern learning management systems are designed with multiple layers of security protocols to help reduce risks. Here are several ways they ensure your data stays safe:  

****Following Global Security Standards**  **

Dependable LMS providers follow internationally recognized security standards. Two of the most important certifications you should look for are ISO/IEC 27001:2013 and ISO 9001:2015.  

The ISO/IEC 27001:2013 standard protects information assets through effective risk management. This means organizations should have strong controls in place and have effective plans for handling security issues.  

ISO 9001:2015, on the other hand, focuses on quality management systems. It ensures the LMS provider follows strict development processes to avoid problems caused by software bugs or inconsistent updates that hackers could exploit. 

Think of it as a dual strategy: ISO 27001 secures your data, and ISO 9001 ensures the software is built with attention to quality and dependability. Choosing an LMS that aligns with these standards means teaming up with a provider dedicated to global best practices. 

If your organization operates in or serves clients within the European Union, complying with GDPR is a must. Even companies based outside the EU often embrace GDPR principles to build trust and simplify their international dealings. A GDPR-compliant LMS guarantees that personal data is handled legally, transparently, and for specific purposes.  

Here are some key features to consider:  

*   **Explicit consent management:** Employees must consent to data collection and be clearly informed how their information will be utilized.

*   **Data minimization:** The LMS should only gather what’s necessary, with no unnecessary employee details. 

*   **Right to erasure:** Users can request the deletion of their data, and the platform must comply within strict timeframes.

An LMS built with the GDPR principles ensures that privacy is prioritized at every step.  

****Applying Quality and Security Best Practices**  **

Beyond certifications and compliance, top-tier LMS platforms should integrate security into their DNA. Here’s what that looks like in practice:  

*   **Regular security audits:** Auditors should spot vulnerabilities before they can be exploited. Look for providers who perform penetration tests and code reviews. These audits mimic real-world attacks to uncover any weak spots. If a vulnerability is discovered, the vendor should fix it immediately and record how they resolved it. 

*   **Secure infrastructure:** Your data should be encrypted both while it’s being transmitted and when it’s stored. Adding multi-factor authentication (MFA) can also lower your chances of being targeted by hackers by an impressive 99%. For instance, even if a hacker manages to steal a password, they’ll still need a one-time code sent to the employee’s phone to get into the system. (3) 

*   **Role-based access controls (RBAC):** Not every user needs full admin rights. RBAC limits access to sensitive features based on job roles, which helps reduce insider threats. For example, a training manager might be able to upload content but wouldn’t have the ability to export employee data. Similarly, an external contractor might only be able to view certain courses without having access to internal reports. 

*   **Continuous monitoring:** Real-time threat detection systems can flag suspicious activities, such as multiple failed login attempts or unusual data downloads. 

These practices come together to form a “defence in depth” strategy and make it extremely harder for attackers to find a weakness. 

****Takeaway**  **

When you invest in the right LMS software, you can successfully protect sensitive data, observe global regulations, and promote a culture of security awareness. Focus on platforms that meet ISO standards, respect and follow GDPR principles, and integrate security at every level of their design. 

**References:** 

1.  “68 Training Industry Statistics: 2025 Data, Trends & Predictions”, Source: https://research.com/careers/training-industry-statistics  
2.  “The Consequences of Non-Compliance with Data Protection Regulations on Business Analytics”, Source: https://www.researchgate.net/publication/386409782\_The\_Consequences\_of\_Non-Compliance\_with\_Data\_Protection\_Regulations\_on\_Business\_Analytics  
3.  “Multifactor Authentication”, Source: https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication

How LMS Software Supports Secure Online Employee Learning

Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api.

Security researchers have identified two npm packages that do far more than they claim. Disguised as utilities for system monitoring and data syncing, these packages introduce destructive backdoors that can remotely wipe out all files in a developer’s application, on demand.

Socket’s Threat Research Team exposed the malicious packages, express-api-sync and system-health-sync-api, both published under the npm account “botsailer.” While the names suggest harmless functionality, the underlying code tells a much darker story.

****A Dangerous Disguise****

According to the company’s technical report shared with Hackread.com, the express-api-sync package presents itself as a simple tool for syncing databases. But instead of syncing anything, it injects a hidden HTTP POST endpoint (/api/this/that) into any Express app that includes it.

Once triggered with the hardcoded key “DEFAULT\_123,” it executes the Unix command rm -rf *, effectively erasing everything in the application’s current directory, source code, configs, user uploads, and even local databases.

This attack activates silently. No logs, no console output, and thanks to an empty error handler, no indication if the route registration fails. Most developers wouldn’t notice anything unusual until it’s too late.

****Sophisticated Threat****

While express-api-sync is destructive, system-health-sync-api takes things further. It’s structured like a real system monitor, complete with a functioning health check, SMTP integration, and dynamic support for Express, Fastify, and even raw HTTP servers.

Beneath the surface, it gathers server data, hostname, IP, process ID, and environment hash, and sends it via email to a hardcoded address: anupm019@gmailcom. It even logs backend URLs, helping attackers map server infrastructure.

This package supports cross-platform file deletion: rm -rf * for Unix-based systems and rd /s /q . for Windows, a command that doesn’t just delete files, it wipes the current directory entirely.

****Built-In Command and Control****

The backdoor can be triggered via two POST endpoints (/_/system/health and /_/sys/maintenance), each requiring the secret key “HelloWorld.” Developers might think the configuration is customizable, but default values ensure the attacker’s access works unless settings are explicitly overridden.

Email is used as a covert control channel. SMTP credentials are baked into the package, masked with Base64 encoding but easily decoded. When the system starts, the malware checks connectivity to the mail server. If successful, it confirms that the attacker’s command channel is active.

****How It Works Behind the Scenes****

1.  **Reconnaissance**: A GET request to /_/system/health returns system info.
2.  **Dry Run (optional)**: If configured, attackers can test without causing damage.
3.  **Destruction**: A POST request with the right key triggers full file deletion.
4.  **Notification**: Email alerts are sent with detailed server fingerprints and backend URLs.

The package even adjusts responses to help attackers understand when keys are incorrect, offering hints on proper usage.

Analysis of the malicious express-api-sync package by Socket’s AI-powered scanner (Via Socket)

Most supply chain attacks focus on stealing data or cryptocurrency. These two packages aim for destruction. It’s a shift in motivation, from profit to sabotage. Attackers now appear more interested in taking systems offline, collecting infrastructure intel, or disrupting competitors. And they’re building tools that can sit dormant, gather information, and activate when least expected.

The use of middleware makes this even more dangerous. Middleware runs on every request and often has full access to app internals. These packages exploit that trust, quietly embedding routes with the power to destroy an entire production environment.

Jim Routh, Chief Trust Officer at Saviynt, commented on the latest development, stating, “This is a case of a software supply chain compromise using malware designed to appear to be benign that then activates a back door once it is embedded. The key for enterprises is to improve the identity access management for everyone with access to the software build process including employees and contractors.”

Developers and DevOps teams should review their dependencies immediately. Use behavioural scanning tools that inspect what packages do, not just what they claim. Traditional scanners miss these threats because they don’t look at runtime behaviour.

Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses…

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses from over 500 Canva Creators. The exposed data included email addresses, feedback on Canva’s Creator Program, and personal insights into the experiences of designers across more than a dozen countries.

The data exposure was discovered by cybersecurity firm UpGuard, which confirmed the database was publicly accessible and lacked authentication. While much of the database stored generic or public data, one particular collection stood out: it contained responses to a detailed survey issued to Canva Creators, a global group of content contributors to the design platform.

The survey data included 571 unique email addresses and detailed responses to 51 questions, covering topics such as royalties, user experience, and AI adoption. Some email addresses appeared multiple times, indicating that users had completed the survey more than once.

According to UpGuard’s report shared with Hackread.com ahead of publishing on Monday, this incident is the first known leak involving a Chroma database, a technology used to help chatbots reference specific documents when responding to queries.

The database, hosted on an IP address in Estonia, appeared to be controlled by My Jedai, a small Russian company that provides AI chatbot services. Users of the platform can upload documents of any type to power their chatbots, often without much technical oversight.

The presence of Canva data in this context raised questions about how sensitive information ends up in AI training systems or chatbot backends. Although Chroma is not inherently insecure, it requires proper configuration to prevent public exposure. In this case, the database was left wide open to the internet.

Canva responded to the findings with a statement to Hackread:

> _“We recently became aware that a file containing email addresses and survey responses from a small group of Canva Creators was uploaded to a third-party website. The information was not connected to Canva accounts or platform data in any way. The database owned by the third-party site was not adequately secured, which led to the information being accessible.”_
> 
> _“The issue was reported to us by a security researcher, who discovered the exposed information using specialist tools, but is not broadly accessible to regular internet users, nor was it indexed by popular search engines. We’ve confirmed the file contents have been removed, and site logs show it was not accessed by others.”_
> 
> _“We’ve already contacted the affected Creators and are complying with all our legal obligations, including notifying regulators where required. We’re deeply invested in keeping our community’s data safe and secure, and we’re reviewing our processes to help prevent this from happening again.”_
> 
> _\-Canva spokesperson_

While there’s no indication that the data has been misused, experts point out that even limited personal information combined with survey content can be useful for targeted phishing attempts. Respondents shared details about their professional roles, creative habits, and satisfaction with the Canva platform, information that could be exploited if placed in the wrong hands.

My Jedai, the company whose database was exposed, is a microenterprise founded in Russia. It allows users to build chatbots powered by their own documents. The company was quick to act once notified and secured the exposed database within a day of UpGuard’s outreach.

The leak shows how AI technologies are creating new, unpredictable channels for data exposure. As more companies adopt tools like Chroma to power customer-facing bots or internal assistants, the pressure to push data into these systems can lead to shortcuts and mistakes.

This case also highlights how widely AI tools are being used around the world, often in unexpected ways. Data collected in surveys by an Australian tech giant ended up in an unsecured database managed by a small Russian firm, hosted on servers in Estonia. With the increasing use of LLMs and third-party chatbot tools, traditional boundaries for data custody are becoming harder to track.

UpGuard noted that many of the documents in the database were harmless or even nonsensical, including “mystical doctrines” and romantic advice scraped from public websites like Marie Claire and WikiHow.

However, the presence of real-world corporate data, including internal chat transcripts and links to restricted file-sharing platforms, shows how easy it is for more sensitive content to slip into AI systems without proper protection.

Limited Canva Creator Data Exposed Via AI Chatbot Database

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and…

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and March 2025. Learn about the “PurpleHaze (aka Vixen Panda)” and “ShadowPad” operations and the persistent threats.

A new report from cybersecurity firm SentinelLABS has exposed a wide-reaching campaign of cyberattacks, strongly believed to originate from **China**. These activities, which took place from July 2024 to March 2025, were aimed at numerous organizations globally, including government agencies, media companies, and, notably, SentinelOne.

While the scale of the attacks was significant, SentinelLABS has confirmed that its own infrastructure remained uncompromised. Reportedly, in October 2024, SentinelLABS **detected** early probing activities targeting SentinelOne’s internet-accessible systems. This was part of a larger cluster of suspicious activities they named PurpleHaze (aka Vixen Panda)“.

Later, in early 2025, SentinelLABS assisted in stopping a separate intrusion. This incident was connected to a broader operation called “ShadowPad” and impacted a company responsible for managing computer equipment for SentinelOne’s staff. In both scenarios, extensive checks by SentinelLABS confirmed that SentinelOne’s own network, software, and devices were not compromised.

The combined PurpleHaze and ShadowPad efforts did not stop there. They affected over 70 different organizations across the world, including a government entity in South Asia and a major European media organization. Beyond these, a wide array of businesses in manufacturing, finance, telecommunications, and research were also impacted.

Source: SentinelLABS

SentinelLABS has confidently linked these coordinated attacks to what they term “China-nexus threat actors.” These are groups suspected of having strong ties to the Chinese government’s spying programs. The investigation found connections between some PurpleHaze intrusions and well-known Chinese cyber espionage groups, specifically APT15 and UNC5174.

The hackers used a variety of advanced tools and techniques. A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access. Another tool, part of the GOREshell family, which includes reverse_ssh backdoor variants were also deployed.

Infrastructure Overview (Source: SentinelLABS)

These groups frequently utilized Operational Relay Box (ORB) networks, a method that allows them to create a constantly changing network of control points, making their activities harder to track and identify.

They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. Furthermore, some attacks involved publicly available tools from The Hacker’s Choice (THC), a community of cybersecurity researchers.

Craig Jones, Vice President of Security Operations at Ontinue, a Redwood City, Calif.-based managed detection and response (MDR) provider commented on the latest development stating, _“_What SentinelOne is seeing now is classic China-nexus activity, it echoes exactly what was tracked during the Pacific Rim attacks when I led the defence activity at Sophos._“_

“Back then, we saw the same playbook: highly targeted operations, stealthy implants on edge devices, and a relentless focus on long-term access to high-value infrastructure. This isn’t new, it’s a continuation of a well-honed strategy,_“_ Craig added.

These detailed findings highlight the sophisticated and persistent nature of these state-sponsored operations and emphasize the critical need for constant monitoring across all sectors.

(Image by Monica Volpin from Pixabay)

Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS

Tel Aviv, Israel, 9th June 2025, CyberNewsWire

**Tel Aviv, Israel, June 9th, 2025, CyberNewsWire**

Available to the public and debuting at the Gartner Security & Risk Management Summit, Browser**Total** is a first of its kind browser security assessment tool conducting more than 120 tests to provide posture standing, emerging threat insights, URL analysis, extension risks, and more. 

Seraphic Security, a leader in enterprise browser security, today announced the launch of Browser**Total**, a unique and proprietary public service enabling enterprises to assess their browser security posture in real-time. The launch coincides with the Gartner Security & Risk Management Summit 2025, where Seraphic will be showcasing the new platform with live demos at booth #1257. 

Powered by AI, Browser**Total** offers CISOs and security teams a comprehensive, hands-on environment to test browser security defenses against today’s most sophisticated threats. Key features of the platform include: 

*   Posture analysis and real-time weakness detection 
*   Insights on emerging web-based threats and phishing risks 
*   A novel, state-of-the-art in-browser LLM that analyzes results and generates tailored recommendations 
*   A live, secure URL sandbox for safely testing suspicious links and downloads 
*   And more interactive tools that bring browser security front and center 

> “Web browsers have become one of the enterprise’s most exploited attack surfaces,” said Ilan Yeshua, CEO and co-founder of Seraphic Security. “With Browser**Total**, we’re giving security leaders a powerful, transparent way to visualize their organization’s browser’s security risks, and a clear path to remediation. What makes this truly groundbreaking is that we’re democratizing access to enterprise-grade security analysis. By making Browser**Total** freely available to the entire security community, we’re not just protecting individual organizations; we’re strengthening the collective defense against increasingly sophisticated web-based threats.” 

> “We created Browser**Total** because we saw a critical gap in how organizations understand and prepare for browser-based attacks,” said Avihay Cohen, CTO and co-founder of Seraphic Security. “This isn’t just another security tool, it’s an educational platform that lets security teams experience firsthand how sophisticated these threats have become. My hope is that by making this technology freely available, we can elevate the entire community’s awareness and readiness against the next generation of web threats.” 

Attendees of the Gartner Security & Risk Management Summit 2025 can experience Browser**Total** firsthand at booth #1257. The Seraphic team will be providing live demos, expert insights, and one-on-one consultations on closing the browser security gap. Users can book a demo time in advance here.  

In Q1 of 2025, Seraphic Security announced a $29 million Series A fundraising led by GreatPoint Ventures with participation from the CrowdStrike Falcon Fund and existing investors Planven, Cota Capital, and Storm Ventures. To learn more about Seraphic Security and its patent browser security solution, users can click here.  

**About Seraphic Security:** 

Seraphic is a leader in the rapidly growing Enterprise Browser Security market, driven by its patented technology that turns any browser into a secure browser with robust protection and detection capabilities. Seraphic delivers SWG, CASB, and ZTNA to simplify existing security architectures and significantly reduce SSE cost. Seamlessly and easily deployed, Seraphic also enables secure access to SaaS and private web applications to employees and third parties from managed and personal devices without the complexity and cost of VDI & VPN. Invisible to the end-user, Seraphic supports all browsers and SaaS desktop applications like Teams, Slack, Discord, and WhatsApp. For more information, users can visit https://seraphicsecurity.com. 

**Contact**

**Head of Content Marketing**  
**Eric Wolkstein**  
**Seraphic Security**  
**\[email protected\]**

Seraphic Security Unveils BrowserTotal™ – Free AI-Powered Browser Security Assessment for Enterprises

Cisco Talos discovers PathWiper, a destructive new malware targeting critical infrastructure in Ukraine, highlighting ongoing cyber threats amidst the Russia-Ukraine conflict.

A newly identified malware named PathWiper was recently used in a cyberattack targeting essential services in Ukraine. Cybersecurity experts at Cisco Talos reported the incident this week and shared details with Hackread.com.

For your information, wipers are a type of malware designed to erase or corrupt data on computer systems, making them unusable. In this attack, the cybercriminals managed to get into a legitimate system that manages computer networks. They likely had inside knowledge of this system, which allowed them to send harmful commands and spread PathWiper to connected devices, researchers noted.

“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” the company wrote in its blog post.

The malware works by replacing important parts of a computer’s file system with random information. It finds all connected storage devices, including hard drives and network drives, and then overwrites their contents. The attackers tried to make their actions look like normal operations of the network management tool to avoid detection.

Cisco Talos believes that a Russian-backed Advanced Persistent Threat (APT) actor is behind this disruptive attack. Their confidence comes from observing similar attack methods and the capabilities of this wiper malware, which match previously seen attacks on Ukrainian targets.

****Similarities and Differences to Other Attacks****

PathWiper shares some features with another wiper malware called HermeticWiper, which also targeted Ukrainian entities in 2022. Both PathWiper and HermeticWiper aim to damage key parts of a computer’s storage, like the Master Boot Record (MBR) and files related to the New Technology File System (NTFS).

However, there’s a key difference in how they corrupt drives. PathWiper is more advanced; it carefully identifies all connected drives, even those that are temporarily disconnected, and verifies them before wiping. In contrast, HermeticWiper uses a simpler method of just trying to corrupt a range of physical drives.

The attack shows the continuing danger to Ukraine’s critical infrastructure as the conflict with Russia carries on. It is recommended to use security products for endpoint protection, email security, firewalls, network analysis, and malware analysis. These tools help organizations detect and prevent malicious activity, block harmful emails and websites, and provide multi-factor authentication to allow access only to authorized users.

Source

HackRead