Cybercriminals exploit a WSUS vulnerability to deploy Skuld Stealer malware, even after Microsoft released an urgent security patch.

A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld  Staler malware, according to new research from the cybersecurity firm Darktrace.

This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets.

The initial security fix released by Microsoft as part of its October 2025 Patch Tuesday wasn’t completely successful in solving the risk, forcing a second, urgent update (called an out-of-band patch) on October 23. However, even with the updates available, criminals started using the flaw right away, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add the problem to its list of exploited vulnerabilities on October 24.

****The Attack Timeline****

Darktrace investigated two separate incidents involving US-based customers where this vulnerability was utilised by attackers. The first signs of trouble began on October 24, 2025- the same day CISA added the flaw to its list.

In the initial case, a WSUS server belonging to a firm in the Information and Communication sector began making unusual connections to webhook.site around 3:55 AM. Subsequent communication was seen, with some connections using the common tools PowerShell and cURL.

As we know it, these are legitimate programs, but attackers were misusing them to remotely control the server. By October 26, the device started connecting to rare subdomains of workersdev, a service often abused by hackers.

Further probing revealed the device downloaded a legitimate security tool called Velociraptor. The attackers used a vulnerable version of this tool to create a hidden communication ‘tunnel’ back to their command server. The malicious communication continued into October 27, leading to the possible download of the final payload: a data-stealing program called Skuld Stealer.

This stealer takes sensitive information like crypto wallets, and the attackers aimed to “maintain persistence in enterprise environments, bypassing traditional defences,” according to the Darktrace report shared with Hackread.com

****Education Sector Incident****

A second, similar attack was detected shortly after the first, impacting a WSUS server within the Education sector. This device also made outgoing connections using PowerShell to webhook.site on October 24.

While Darktrace did not see further network activity, it is worth noting that the customer’s own security system flagged malicious activity on October 27, suggesting the compromise may have continued secretly on the computer.

Case 1: A timeline outlining suspicious activity detected by Darktrace, and Case 2: A timeline outlining suspicious activity on the device

The research confirms how criminals are “leveraging WSUS to deliver malicious payloads.” Darktrace researchers emphasise that an exploit of this kind can lead to considerable damage, from data theft to a full-scale network compromise.

This chain of events also clearly shows that companies need to be ready to protect against attacks, especially now that criminals are misusing even normal, trusted programs to break in.

Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch

Ukrainian man accused of helping run Conti ransomware extradited from Ireland to the U.S. to face charges over global cyberattacks and $150M in ransom payments.

A Ukrainian national accused of helping run one of the world’s most damaging ransomware operations, Conti, is now in US custody. After being extradited from Ireland, 43-year-old Oleksii Oleksiyovych Lytvynenko made his first court appearance in the Middle District of Tennessee to face charges tied to the Conti ransomware group.

Prosecutors allege that between 2020 and 2022, Lytvynenko worked with others to spread Conti ransomware all over the globe. The group infiltrated computer systems, locked critical files, and demanded cryptocurrency payments to restore access and keep stolen data private.

It also became one of the most aggressive and profitable operations of its kind before breaking apart in 2022. The FBI estimates the group carried out more than a thousand attacks in 47 US states, Puerto Rico, and over 30 countries, collecting about 150 million dollars in ransom payments, more than any other ransomware strain targeting critical infrastructure at the time.

Conti hit a long list of targets over the years. The Fourth District Court of Louisiana was among the first known targets in September 2020, followed by the Broward County Schools district in Fort Lauderdale in April 2021.

Later that year, in December, Scandinavian hotel chain Nordic Choice was hit, disrupting operations across multiple locations. The following months brought more high-profile attacks, including KP Snacks, the United Kingdom’s second-largest snack maker, in February 2022, and German wind turbine manufacturer Nordex in April 2022.

The group’s methods were as aggressive as they were sophisticated. Conti actors exploited major security flaws such as the Log4j vulnerability and ProxyShell exploits, both of which were widely abused by cybercriminals at the time.

But the group also faced problems of its own after an insider using the name “m1Geelka” leaked internal chats and code, claiming the operators were underpaying their recruits. That leak exposed details about how the gang worked and who was involved.

In one particularly controversial incident, Conti published thousands of records stolen from Graff, a luxury jewellery retailer based in the United Kingdom, in October 2021. The data included information on high-profile clients, among them members of royal families from Saudi Arabia, the United Arab Emirates, and Qatar. Following backlash, the group issued an unusual public apology, claiming it had not intended to harm those specific individuals.

Authorities believe Lytvynenko managed stolen data from numerous victims and was involved in sending ransom notes during Conti’s attacks. Irish police arrested him in July 2023 at the request of US officials, and after months of legal proceedings, he was extradited earlier this month. Court filings also allege that he continued to engage in cybercrime right up until his arrest in Ireland.

According to the US Department of Justice’s press release, Lytvynenko faces one count of conspiracy to commit computer fraud, carrying a maximum penalty of five years in prison, and one count of conspiracy to commit wire fraud, which carries up to twenty years.

The latest extradition adds to a series of actions targeting ransomware operators linked to Conti and similar groups. In June 2025, Ukrainian police arrested a ransomware cryptor developer connected to both the Conti and LockBit gangs. That arrest was part of Operation Endgame, a coordinated international effort aimed at dismantling the infrastructure and personnel behind major cybercrime networks.

Ukrainian Conti Ransomware Suspect Extradited to US from Ireland

The Akira ransomware group claims to have stolen 23GB of data from Apache OpenOffice, including employee and financial records, though the breach remains unverified.

The **Akira ransomware group** claims to have breached Apache OpenOffice and stolen 23GB of data. Apache OpenOffice, for those unfamiliar, is a free and open-source office software suite developed by the Apache Software Foundation.

It includes tools similar to Microsoft Office, serving as a free alternative available on Windows, Linux, and macOS. The suite offers Writer for word processing, Calc for spreadsheets, Impress for presentations, Draw for graphics and diagrams, Base for databases, and Math for creating mathematical formulas.

As seen by _Hackread.com_, Akira claims the stolen data includes sensitive documents such as employee records containing physical addresses, phone numbers, driver’s licenses, social security cards, and credit card information.

Other allegedly stolen data includes financial records, internal confidential files, and what the group describes as “lots of reports about their problems with the application and so on.”

”We will upload 23 GB of corporate documents soon. Employee information (addresses, phones, DOB, driver’s licenses, social security cards, credit cards information and so on), financial information, internal confidential files, lots of reports about their problems with the application and so on,“ the group wrote on its dark web leak site.

Akira Ransomware group on its dark web leak site (Image credit: Hackread.com)

****Current Status****

At the time of writing, the Apache Software Foundation has not confirmed any breach of **Apache OpenOffice** systems or data. The listing remains unverified, and it is unclear whether Akira’s claim involves actual compromise or recycled information from previous incidents. Hackread.com has reached out to Apache for comment.

If confirmed, a breach of Apache OpenOffice could expose internal development data or contributor information, but users of the office suite are unlikely to be directly affected at this stage. The OpenOffice download infrastructure is separate from its development servers, so no public software distribution appears to be compromised.

****About Akira Ransomware Group****

Akira is a ransomware-as-a-service (RaaS) operation that **first emerged in 2023**. It has carried out hundreds of attacks across the United States, Europe and other regions, earning tens of millions of dollars in ransom payments.

Its **tactics** include double extortion, meaning stealing data and then encrypting systems, and it has variants for Windows, Linux/VMware ESXi. Bitdefender’s Threat Debrief report published in March 2025 found the Akira ransomware group **hacking webcams** of its victims.

The group communicates in **Russian in dark web forums**, and its ransomware checks for Russian language keyboard layouts to avoid attacking systems in Russian-speaking regions.

Nevertheless, OpenOffice users are advised to download Apache OpenOffice only from the official website and avoid third-party links shared on social media or forums. Until the Apache Software Foundation confirms details, there is no indication that end-user data or installations are affected.

Akira Ransomware Claims It Stole 23GB from Apache OpenOffice

ZÜRICH, Switzerland – Flowable, a global provider of enterprise automation and orchestration software, has been recognized in the…

ZÜRICH, Switzerland – Flowable, a global provider of enterprise automation and orchestration software, has been recognized in the inaugural 2025 Gartner® Magic Quadrant™ for Business Orchestration and Automation Technologies.

The Magic Quadrant evaluates vendors based on their completeness of vision and ability to execute. According to the Gartner report, “Business orchestration and automation technology platforms unify process orchestration, connectivity and agentic features to enable enterprise-wide automation.”

“We are honored to be included in Gartner’s first Magic Quadrant for Business Orchestration and Automation Technologies,” said Micha Kiener, chief technology officer and co-founder at Flowable. “We believe this recognition highlights our continued focus on dynamic case management, orchestration, and natively embedded agentic AI that help enterprises in regulated industries run complex work with adaptability and governance at enterprise scale.”

Flowable’s agentic case platform coordinates people, AI agents, and business processes in a unified, governed environment that delivers advanced intelligent automation, control, and autonomy. “Our platform is designed to coordinate humans and AI in a responsible, governed way-ensuring agility, auditability, and scale,” Kiener added.

The company’s capabilities, including agentic case management and its orchestration framework, are aligned with Gartner’s definition of a Business Orchestration and Automation Technology (BOAT) platform.

Flowable enables enterprises to model and automate complex, exception-driven processes across sectors such as banking, insurance, healthcare, and manufacturing. This approach ensures that critical business operations remain compliant and efficient even in highly regulated environments.

Flowable’s architecture also embeds responsible AI orchestration within its core, allowing organizations to safely integrate multi-agent systems while maintaining governance and transparency. Built on open automation standards – BPMN, CMMN, and DMN – the Flowable platform promotes interoperability, flexibility, and innovation without vendor lock-in.

For a complete view of the report’s assessment of the business orchestration and automation market and vendors, including Flowable, access the full report here.

****Gartner Disclaimer****

Gartner, Magic Quadrant for Business Orchestration and Automation Technologies, Saikat Ray, Tushar Srivastava, Marc Kerremans, Arthur Villa, Cathy Tornbohm, Sachin Joshi, 15 October 2025.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation.

Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

****About Flowable****

Flowable is a global provider of enterprise automation software headquartered in Zurich, Switzerland. Since 2010, Flowable’s software has helped organizations coordinate automation, people, and processes through a unified platform built on open standards. The company serves leading enterprises across industries where adaptability and accountability are essential. For more information, visit www.flowable.com.

****Media Contact****

Violet Diamanti-Race   
\[email protected\]  
+41 31 329 09 00

Gartner Recognizes Flowable in 2025 Magic Quadrant for Business Orchestration and Automation Technologies

Are you using a fake version of a popular app? Appknox warns US users about malicious brand clones hiding on third-party app stores. Protect yourself from hidden spyware and ‘commercial parasites.’

A new report from mobile application security provider Appknox reveals a troubling trend where malicious apps are masquerading as trusted brands like ChatGPT, DALL·E, and WhatsApp.

Appknox’s investigation, which focused on US-based third-party app stores, found that these app clones range from harmless unofficial interfaces to full-scale surveillance tools. More importantly, these fakes are currently available to US users through these alternative stores.

****The Advertising Deception****

One such app, named DALL·E 3 AI Image Generator, was found on the Aptoide store. Appknox researchers determined that this app pretends to be an image-generation tool from OpenAI, but it has no actual AI capability.

Instead, its code only connects to advertising networks like Unity Ads, AppsFlyer, Adjust, and Bigo Ads. The app displays a fake loading screen that looks like an image is being generated, but network logs confirm it is just loading advertisements in disguise.

“It’s not malware in the strict sense,” said Abhinav Vasisth, Lead Security Researcher at Appknox. Instead, “it is a commercial parasite that profits from deception. It sells ad impressions, not intelligence.”

Further probing revealed that this application was likely built using commercial templates from a developer known for reusing code across many fake app listings.

****Spyware Hidden Behind a Chat Icon****

The most serious threat is WhatsApp Plus. Disguised as an upgraded messenger, this app is a complete spyware framework. After installation, it silently requests broad permissions, including access to contacts, SMS, and device accounts. This access allows the app to intercept crucial data like one-time passwords (OTPs).

Apart from simple privacy invasion, the extensive permissions grant the spyware the power to intercept banking verification codes and execute identity fraud. In short, it doesn’t just steal information; it effectively steals a person’s digital identity and financial access.

For companies, spyware like WhatsApp Plus creates a systemic enterprise threat. It can steal multi-factor authentication codes and infiltrate corporate accounts. In regulated sectors (Finance, Healthcare), these risks massive compliance failures under frameworks like GDPR, HIPAA, and PCI-DSS, resulting in hefty fines, the report reads.

****The Grey Area: Harmless Wrappers****

However, researchers found that not all cloned apps are harmful. For instance, the ChatGPT Wrapper app was an authentic, unofficial interface that genuinely connected to the OpenAI API for chat requests, with no hidden malicious code.

This app actually sits in a “grey zone” of convenience as it is “not endorsed by OpenAI, but not deceptive either,” researchers noted in the blog post shared exclusively with Hackread.com.

These findings are alarming because they prove how easily users can be tricked by the AI hype. Given their diversity in deception, from simple ad traps to dangerous spyware, it becomes essential for users to be careful about where they download their apps from.

Spyware-Plugged ChatGPT, DALL·E and WhatsApp Apps Target US Users

Ribbon Communications discloses a year-long breach by nation-state actors. The attack highlights critical supply chain risk, reflecting the Salt Typhoon and F5 espionage trends.

Ribbon Communications, a key American telecom firm that helps run the world’s major phone and data networks, has revealed a major security breach. The company confirmed that nation-state hackers, working for an unnamed foreign power, infiltrated its computer systems and remained hidden for almost a full year without detection.

The Texas-based company, which makes the technology that enables real-time communications (like allowing a standard voice call to connect with web-based systems or conference applications), made the disclosure public in its 10-Q Quarterly Report filed with the US Securities and Exchange Commission (SEC) and published on its own website on October 23.

Ribbon Communications 10-Q filing with the SEC (Credit: Hackread.com)

****Discovery and Damage Assessment****

Ribbon discovered the unauthorised access in early September 2025, prompting an immediate investigation. Early probing revealed that the initial compromise may have occurred as far back as December 2024.

The company stated that they have found no evidence yet that the attackers gained access to any “material information” or managed to infiltrate any of their customers’ own systems. However, they did confirm that the hackers accessed four older customer files saved on two laptops outside of the main network, and the three smaller customers whose files were involved have already been notified.

****A Broader Espionage Trend****

Ribbon Communications is currently working with federal law enforcement and multiple outside experts to investigate the intrusion, and they believe the attackers have been successfully evicted from the network.

This exposure is particularly upsetting because Ribbon Communications serves a vast, international customer base, including telecom giants like Verizon, BT, Deutsche Telekom, and even the US Department of Defence.

This incident intensifies the threat to telco firms, given the consistently increasing trend of nation-state actors targeting them for espionage. As _Hackread.com_ has been observing lately, this aligns with major ongoing campaigns such as the Salt Typhoon campaign, where telecom organisations globally were targeted using backdoors like SNAPPYBEE and leveraging network device vulnerabilities.

It also follows the recent state-backed attack on F5, which led to the theft of BIG-IP source code and vulnerability research. The pattern shows a clear focus on technology providers to gain deep intelligence.

The year-long breach comes as no surprise that companies like Ribbon are high-value targets for state-aligned hackers, especially since they work with both major government and critical infrastructure organisations, making them a vital point of compromise in the global supply chain

In response to the news, Ryan McConechy, CTO of Barrier Networks, shared comments with Hackread.com, emphasising the concerning stealth of the attack:

“This latest breach against a major telecommunications provider is further evidence that the online world has become the preferred playing field for all adversaries today. We don’t know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning.

This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance, which can advance their objectives in the future.”

McConechy concluded by stressing the need for better preparation among critical infrastructure providers:

“As nation state threat actors focus their attention on targeting critical infrastructure and other telco firms, it is essential these organisations are prepared for these assaults. The UK government recently updated its cyber-Code of Practice for Telcos, so following the recommendations outlined there is a vital first step.”

Year-Long Nation-State Hack Hits US Telecom Ribbon Communications

Silver Spring, USA/ Maryland, 30th October 2025, CyberNewsWire

**Silver Spring, USA/ Maryland, October 30th, 2025, CyberNewsWire**

*   **The new capabilities, anchored by Blended Identity and the MCP Identity Gateway, give enterprises a secure and auditable way to manage how AI agents identify themselves and access sensitive systems.**

Aembit today announced the launch of Aembit Identity and Access Management (IAM) for Agentic AI, a set of capabilities that help organizations safely provide and enforce access policies for AI agents as they move into production. The release introduces Blended Identity, which defines how AI agents act on behalf of verified users, and the MCP Identity Gateway, which ensures secure access to enterprise resources based on identity, access policy, and runtime attributes.

The new offering extends the Aembit Workload IAM Platform to address one of the most pressing operational questions in artificial intelligence and modern IT: how to control what autonomous and user-driven AI agents can access, under what conditions, and with what accountability.

AI agents are rapidly becoming a key part of enterprise operations. Nearly half of technology executives say they are already adopting or fully deploying agentic AI, and about the same share expect most of their AI deployments to be autonomous within two years, according to an EY survey. These agents retrieve sensitive data, open tickets, and execute code across cloud, on-premises, and SaaS environments.

Yet most access models were built for people, not self-directed software. Many still rely on static secrets and shared credentials, creating risk and obscuring accountability. Worse yet, agents’ actions are often hidden behind the identity of a human, making it almost impossible to audit the actions each actor has taken. The result is a widening gap between the pace of AI adoption and the ability of organizations to secure it with confidence.

Aembit IAM for Agentic AI assigns each agent a cryptographically verified identity, issues ephemeral credentials, and enforces policy at runtime. The system records every access decision and maintains attribution across both human-driven and autonomous agent activity. By bringing agent activity under the same centralized policy control plane that governs other workloads, Aembit enables enterprises to deploy AI at scale while maintaining control, auditability, and compliance.

> “Enterprises want to say yes to agentic AI, and they’re asking Aembit for ways to securely grant agents access to data and applications,” said David Goldschlag, co-founder and CEO of Aembit. “Aembit IAM for Agentic AI gives enterprises the same level of control and audit over agent access that IAM systems have long provided for employees. Our approach enables organizations to advance their AI initiatives without expanding their threat and risk surface.”

The release introduces two core capabilities to the Aembit Workload IAM Platform:

*   **Blended Identity**, which gives every AI agent its own verified identity and, when needed, binds it to the human it represents. This establishes a single, traceable identity for each agent action and allows Aembit to issue a secure credential that reflects that combined context.
*   **MCP Identity Gateway**, which receives that identity credential and controls how agents connect to tools through the Model Context Protocol (MCP). The gateway authenticates the agent, enforces policy, and performs token exchange to securely retrieve the necessary access permissions for each connected resource – without ever exposing them to the agent runtime.

Together, this functionality allows enterprises to apply least-privilege access, revoke permissions immediately when needed, and ensure that every AI action is attributable and auditable. They operate on Aembit’s established Workload IAM foundation, which enforces policy dynamically at runtime, issues ephemeral credentials just in time, and records structured events for full traceability.

Aembit developed IAM for Agentic AI through collaboration with large businesses, government organizations, and innovative agentic AI startups deploying AI for operational and security workloads. Those efforts helped shape an approach that combines enterprise enforcement with the adaptability AI projects demand.

> “AI agents don’t live inside one stack or trust domain,” said Kevin Sapp, co-founder and CTO of Aembit. “They move between hybrid environments in seconds. With Aembit, every agent carries a verified identity that our gateway can authenticate and control in real time. It’s how enterprises can give agents the access they need to work, while never losing sight of who they are or what they touch.”

Aembit IAM for Agentic AI is now available to customers using its Workload IAM Platform. Organizations can learn more, request a demo, or get started today at aembit.io.

**About Aembit**

Aembit is the identity and access management platform for agentic AI and workloads. It enforces access based on identity, context, and centrally managed policies, giving organizations a singular place to control access risk from AI agents, automate credential management, and accelerate AI adoption. With Aembit, enterprises can confidently control access to sensitive resources across all the workloads that power their business. Users can visit aembit.io and follow the company on LinkedIn.

**Contact**

**Apurva Dave**  
**Aembit**  
**\[email protected\]**

Aembit Introduces Identity and Access Management for Agentic AI

Silent Push wars of Russian hackers exploiting Adaptix, a pentesting tool built for Windows, Linux, and macOS, in ransomware campaigns.

Silent Push researchers have identified Russian-linked ransomware groups abusing Adaptix, a legitimate penetration testing tool now used to deliver malware targeting infrastructure worldwide.

The investigation began when Silent Push researchers were tracking a new malware loader called **CountLoader**. During that work, they noticed Adaptix being deployed to drop malicious payloads, leading the team to dig deeper. Once detection methods were updated, new activity started appearing across multiple campaigns, suggesting that cybercriminals had already adopted Adaptix as part of their toolkit.

It is worth noting that last month, researchers identified the CountLoader malware after it was spotted twice in campaigns posing as emails from the Ukrainian police. In the **first case**, Silent Push analysts observed attackers using a fake PDF notice to trick recipients into downloading and running CountLoader.

The **second incident**, reported by FortiGuard Labs, involved similar fake police notices that delivered additional malware, including Amatera Stealer, which targets data, and PureMiner, a cryptojacker that infects Windows systems.

****Linux, Windows, and macOS****

Further analysis by Silent Push points to a figure known online as “**RalfHacker**,” believed to be the developer behind Adaptix. According to the company’s report, this individual runs a Russian language Telegram channel used to promote and sell the tool, connecting it directly to Russian cybercrime networks.

Although AdaptixC2 was originally built as a post-exploitation and adversary emulation framework for penetration testers, its features make it powerful, which also makes it appealing to attackers. The server side is written in Golang, while the graphical client is built in C++ with a QT interface, allowing it to run smoothly on Linux, Windows, and macOS.

In legitimate security testing, this cross-platform support is quite valuable, but in the wrong hands, it means the same tool can be used to target almost any device. Silent Push’s findings suggest that this flexibility has made Adaptix an easy choice for threat actors looking to deliver or control malware across different systems.

AdaptixC2 Framework interface

While Adaptix itself remains an open source resource often used for legitimate penetration testing, its misuse by threat actors highlights how freely available tools can be repurposed for malicious gain.

Silent Push’s research shows how quickly cybercriminals can turn legitimate security tools for malicious purposes. After **Cobalt Strike**, Adaptix has become the new favourite among hackers for spreading malware and running ransomware operations.

The research also points out the importance of monitoring open source utilities. Silent Push’s full analysis, including indicators of compromise and technical insights, is available on their **official blog**.

Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks

A major Microsoft outage has disrupted Azure, Microsoft 365, Xbox, and Minecraft worldwide after a configuration failure, with services now gradually recovering.

On October 29, 2025, Microsoft suffered a widespread infrastructure disruption that knocked out multiple services globally and left enterprises and consumers scrambling. The incident began when a configuration change went wrong in Microsoft’s cloud network, causing cascading failures across key platforms.

Microsoft issued a status update stating that its Azure Front Door content-delivery system and parts of its internal routing were impacted, resulting in DNS resolution failures and broader connectivity issues for its services. The disruption began around midday Eastern Time in the United States and quickly spread across regions, according to tracking sites such as DownDetector.

****Services impacted****

The outage impacted both enterprise and consumer-facing platforms, including but not limited to:

*   Microsoft Azure cloud portal, where customers reported their inability to access the portal and management tools.

*   Microsoft 365 (formerly Office 365), which caused sign-in issues, admin centre failures and degraded service for productivity apps.

*   Microsoft Teams, where users reported connectivity issues.

*   Minecraft and Xbox Live, where Gamers reported server and login problems, causing problems for consumer services as well.

*   Microsoft Copilot, where some users indicated degraded performance within the AI/assistant feature in 365.

*   Retail, airlines, and other third-party services relying on Microsoft cloud also reported connectivity issues. Some of them include Alaska Airlines and Vodafone, both reporting problems linked to Azure downtime.

Minecraft outage in the USA (Screenshot via DownDetector)

**Dependency on Cloud Services**

Cloud-based services are designed for high availability, but this incident shows how a misconfiguration in one component can set off a series of problems in many critical services.

Earlier this month, Amazon Web Services (AWS) experienced a large-scale disruption that took down major websites and apps across the Americas, Europe, and Asia. The company later confirmed that it had resolved the issue, restoring normal operations to most affected platforms. The outage disrupted several sectors, including gaming networks, financial institutions, and major social media platforms.

**Current status and outlook**

Microsoft says it has deployed a fix and has begun rolling back to a “last known good configuration” while rerouting traffic around the affected infrastructure. Some services are showing signs of recovery, and DownDetector reports are tapering off, though Microsoft cautions that full mitigation may take several more hours.

If you’re using Microsoft’s cloud or consumer services, start by checking the official status page or admin dashboard for updates on the incident, such as MO1181369 for Microsoft 365. Those managing enterprise workloads in Azure can use CLI or PowerShell commands if the main portal remains inaccessible.

For consumer platforms like Xbox and Minecraft, the best option is to wait and try again later, as intermittent issues may continue during the recovery process. Businesses should also take this moment to review their reliance on a single cloud provider and consider stronger contingency plans for future large-scale outages.

Microsoft Azure status page is available here.

Microsoft 365 network health status page is available here.

Microsoft Outage Hits Azure, 365, Xbox, Minecraft and More

A new investigation from mobile security firm Zimperium has revealed a fast-growing cybersecurity threat targeting Android users through…

A new investigation from mobile security firm Zimperium has revealed a fast-growing cybersecurity threat targeting Android users through their tap-to-pay systems. The company’s research team, zLabs, has been tracking hundreds of malicious apps that use Android’s Near Field Communication (NFC) and Host Card Emulation (HCE) features to steal payment data, turning infected phones into tools for payment fraud.

Since April 2024, analysts have uncovered more than 760 malicious apps built to intercept card data in real time. Although it started with a few isolated cases, it has now become a global issue, with infections seen in Russia, Poland, the Czech Republic, Slovakia, Brazil, and several other countries.

The findings, published in Zimperium’s report titled “Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices,” show that this method of attack is spreading fast as cybercriminals look for new ways to exploit mobile payments.

The malicious apps pretend to be official banking or government applications, copying the look and feel of trusted brands such as Google Pay, VTB Bank, Santander, and the Russian State Services Portal (Gosuslugi).

List of organizations impersonated by the malicious apps (Image via Zimperium)

Once installed, these fake apps prompt users to set them as their default payment method. However, in reality, they activate NFC relay functionality that forwards card data to remote servers controlled by attackers, allowing them to perform fraudulent transactions almost instantly.

According to Zimperium’s blog post shared with Hackread.com, the operation involves more than 70 command-and-control servers and numerous Telegram bots coordinating the scam and resale of financial data.

The malware communicates using structured commands, where one infected device collects payment data and another device uses it to complete transactions at a physical terminal. The entire exchange happens through live relay, letting attackers spoof legitimate NFC payments without physical access to the victim’s card.

Researchers also noted that these apps are carefully disguised. They display authentic-looking interfaces within a simple web view, often showing real logos and text from financial institutions to convince users they are genuine.

Once the device is compromised, the app quietly relays sensitive information such as card numbers, expiration dates, and EMV data through private Telegram channels, where cybercriminals manage stolen credentials and sales.

Unlike traditional banking trojans that depend on overlays or SMS interception, this new generation of malware abuses Android’s Host Card Emulation capability to act like a virtual payment card. It’s a more direct and efficient approach that bypasses security designed for older types of malware aimed at financial data.

Zimperium’s detection systems have already identified and blocked multiple NFC relay malware families through its Mobile Threat Defense (MTD) and zDefend platforms. However, the company’s findings point to the need for stronger protection for NFC permissions and payment privileges.

If you are an Android user, the best protection for now includes downloading apps from the official Google Play Store, avoiding third-party stores, using updated mobile security software, using common sense and staying alert to unknown requests involving payment settings.

Source

HackRead