Austin, United States / TX, 22nd July 2025, CyberNewsWire

**Austin, United States / TX, July 21st, 2025, CyberNewsWire**

Living Security, the global leader in Human Risk Management (HRM), today released the 2025 State of Human Cyber Risk Report, an independent study conducted by leading research firm Cyentia Institute. The report provides an unprecedented look at behavioral risk inside organizations and reveals how strategic HRM programs can reduce that risk 60% faster than traditional methods.

Drawing on behavioral data from more than 100 enterprises and hundreds of millions of user events, the study offers a first-of-its-kind, data-driven map of where cyber risk actually lives in the workforce and how leading organizations are shrinking it. The report confirms a long-suspected but rarely proven reality: a small fraction of employees (just 10%) are responsible for 73% of risky behavior. According to the findings, it’s clear that protecting the enterprise in 2025 means managing people, not just systems.

> “Security teams have always known the human factor plays a critical role in breaches, but they’ve lacked the visibility to act on it,” said Ashley Rose, CEO and Co-founder of Living Security. “Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it.”

**Key Findings from the Report:** 

*   Human risk is concentrated, not widespread: Just 10% of employees are responsible for nearly three-quarters (73%) of all risky behavior.
*   Visibility is alarmingly low: Organizations relying solely on security awareness training (SAT) have visibility into only 12% of risky behavior, compared to 5X that for mature HRM programs.
*   Risk is often misidentified: Contrary to popular belief, remote and part-time workers are less risky than their in-office peers.
*   HRM works: Companies using Living Security’s Unify platform cut their risky user population by 50% and reduced high-risk behavior duration by 60%.

**From Awareness to Action: Making Human Risk Measurable**

Unlike traditional reports that focus on external threats or compliance audits, the 2025 State of Human Cyber Risk Report centers on internal risk behaviors and how they change with the right interventions.

The report includes:

*   A detailed breakdown of what constitutes human risk across behaviors, events, and attributes
*   Analysis of how risk is distributed across roles, industries, and access levels
*   Persona-based insights using behavioral alignment models
*   Proof that HRM initiatives, especially behavior-triggered action plans, dramatically reduce organizational risk exposure

**A Call to Cybersecurity Leaders**

With budgets tightening and threats evolving, the stakes are clear: cybersecurity can no longer rely on awareness alone. Leaders must prioritize behavioral visibility, targeted action, and ROI-driven results. 

> “Cybersecurity is no longer just about technology, it’s about behavior,” said Rose. “If we don’t understand who our riskiest users are, why they’re at risk, and how to help them improve, we’ll continue chasing symptoms instead of solving the root problem.”

**Looking Ahead**

These findings come at a time when AI agents and digital co-workers are entering the enterprise and the attack surface is evolving fast. As pioneers in Human Risk Management, Living Security sees this evolution clearly: the future of cyber resilience isn’t just about managing human risk, it’s about managing behavioral risk, wherever it originates. This report not only celebrates measurable progress on the human side, but also signals what comes next: a future where enterprises govern both humans and agents through shared visibility, standards, and accountability.

**About the Report**

The 2025 State of Human Cyber Risk Report was produced in partnership with the Cyentia Institute using anonymized data from Living Security’s Unify platform over the last several years. It reflects hundreds of millions of real-world user events and decisions, collected and analyzed to provide a clear picture of how human risk shows up, and how it can be reduced.

The full report is available for download at: https://www.livingsecurity.com/2025-human-risk-report-key-cybersecurity-insights. For a deeper look at the findings, users can join a live webinar with Cyentia researchers and Living Security CEO Ashley Rose on July 23 at 3PM ET / 12PM PT by registering here.

**About Cyentia Institute**

The Cyentia Institute is a renowned research firm committed to providing high-quality, data-driven insights to help organizations enhance cybersecurity and effectively manage information risks. Through collaborations with leading industry and government entities, Cyentia continually advances cybersecurity knowledge and practice.

**About Living Security**

Living Security is the global leader in Human Risk Management (HRM), providing a risk-informed approach that meets organizations where they are—whether that’s starting with AI-based phishing simulations, intelligent behavior-based training, or implementing a full HRM strategy that correlates behavior, identity, and threat data streams.

Living Security’s Unify platform delivers 3X more visibility into human risk than traditional, compliance-based training platforms by eliminating siloed data and integrating across the security ecosystem. The platform pinpoints the 8–12% of users who pose the greatest risk and automates targeted interventions in real time—reducing exposure to human risk by over 90%. Powered by AI, human analysis, and industry-wide threat telemetry, Unify transforms fragmented signals into intelligent, adaptive defense.

Named a Global Leader in Human Risk Management by Forrester and trusted by enterprises like Unilever, Mastercard, Merck, and Abbott Labs, Living Security helps security teams move from awareness to action—driving measurable behavior change and proving impact at every stage of the journey.

**For more information, users can find them online at livingsecurity.com or follow on** **LinkedIn****.**

**Contact**

**Living Security Press**  
**Living Security**  
**\[email protected\]**

New Report Reveals Just 10% of Employees Drive 73% of Cyber Risk

Former Hunters International ransomware gang, now World Leaks, claims 1.3 TB Dell data breach, leaking over 400K files with internal tools and user data.

World Leaks, the rebranded version of the Hunters International ransomware gang, has leaked 1.3 TB of internal data, which the group claims belongs to Dell Technologies Inc., the American multinational tech giant.

The announcement was made earlier today, Monday, July 21, 2025, on the group’s official dark web leak site. According to information reviewed by Hackread.com, the leak contains 416,103 files, all publicly available for download. Many of these files directly reference Dell Technologies and appear consistent with internal corporate data.

World Leaks’ claims on its dark web leak site (Image credit: Hackread.com)

****Analysis of the File List****

A closer look at the leaked file list shows what appears to be internal data from across Dell Technologies’ global network. The files come from various regional systems, including the Americas, Europe, and Asia-Pacific, and cover everything from employee folders and software tools to infrastructure scripts and backup data.

Many of the files mention Dell Technologies and its products, such as PowerPath, PowerStore, and firmware for Dell-branded hardware. There are also references to VMware tools, automation scripts written in Terraform, and files linked to system monitoring and internal testing.

Some paths point to browser profiles, log files, and software packages used in development or support environments. What stands out is how often Dell’s name and tools appear throughout the directories, along with structured naming that suggests the data is pulled from real corporate systems. All of this supports the group’s claim that the files are indeed from inside Dell’s infrastructure.

Screenshot from the file list published by World Leak (Image credit: Hackread.com)

It’s also worth noting that World Leaks has not disclosed when the breach of Dell Technologies occurred, how it was carried out, or how the company responded to it.

****Dell’s Statement****

In a statement to Hackread.com, Dell confirmed that a threat actor accessed its internal “Solution Center,” an environment used for product demos and testing. The company emphasised that this system is isolated from customer and partner networks and is not part of its service infrastructure.

According to Dell, the data obtained was primarily synthetic, publicly available, or related to internal scripts and testing outputs. While Dell did not use the term “breach,” its response indicates that unauthorised access did occur. The company says its investigation is ongoing.

****Who Is World Leaks and How Is It Connected to the Hunters International Ransomware Group?****

As Hackread.com reported in early July 2025, World Leaks is the new name adopted by the group formerly known as Hunters International. The gang has changed its approach, now focusing solely on data theft and extortion rather than deploying ransomware. Their approach focuses on stealing sensitive data and threatening to leak it unless they are paid by their victims.

This approach is completely different from how Hunters International operated, where file encryption was used alongside extortion. World Leaks has dropped the encryption part entirely and is now gambling everything on the pressure that comes from the threat of public exposure.

The change could be a strategic one, especially with law enforcement agencies becoming more aggressive and ransomware profits facing more obstacles. By cutting out the encryption step, they reduce the chances of getting caught while still profiting from the stolen data.

World Leaks now uses a custom exfiltration tool to automatically extract large volumes of data from compromised networks. This tool seems to be a more advanced version of the data theft software previously used by affiliates of the original Hunters International group.

****Dell and Cybersecurity Incidents: Nothing New****

A company as large as Dell is always an attractive target for cybercriminals, and this isn’t the first time hackers have claimed to breach its systems. On May 9, 2024, a hacker using the alias “Menelik” claimed to be selling data from 49 million Dell customer accounts.

The following day, on May 10, Dell confirmed the breach but downplayed its severity, stating that the compromised data posed “no significant risk.” The exposed information included full names, physical addresses, Dell hardware and order details, service tags, item descriptions, order dates, warranty information, and more.

In September 2024, a hacker using the alias “grep” announced three separate data breaches involving Dell. One of the breaches reportedly exposed data belonging to more than 10,000 Dell employees.

World Leaks Claims Dell Data Breach, Leaks 1.3 TB of Files

Improve security in your React app with geolocation-based authentication, adding a strong layer beyond passwords to prevent unauthorised access.

The number of cyberattacks keeps growing every year, and human error is still the main cause of security breaches. While it’s impossible to eliminate the user mistake factor entirely, developers can introduce authentication systems that offer more security compared to traditional password-based algorithms. 

Geolocation-based authentication is only one example of an extra security layer, but the approach has already proven effective for preventing unauthorised access. According to Brainence, a custom React development firm, today, many organisations rely on introducing advanced authentication systems and leveraging location data for accessing sensitive information. Of course, no measure today is 100% breach-proof, but geolocation in React apps is a reasonable approach to balancing safety and usability.

****How Geolocation-Based Authentication Works****

Geolocation authentication uses a device’s physical location as part of the verification process. With React authentication systems, it analyses GPS coordinates, IP addresses, and network information to determine if login attempts come from expected locations.

The system works by establishing location baselines for each user account. Simply put, it stores previous login data and monitors for any suspicious activity, in this case, when someone tries to log in from a new location or IP address.

****How Location Increases Security****

Traditional systems rely on passwords, which are easily compromised. An extra safety layer is the use of tokens, but with today’s ever-growing number of cyberattacks, the system is no longer safe either. Geolocation adds the third factor to the safety net, an analysis of where the user is. 

This contextual approach helps identify compromised credentials immediately_._ The React geolocation logic is clear: if the user has a history of logins from Edinburgh, a sudden attempt to access the account from a Manchester address raises the alarm, triggers additional verification steps, or even blocks the suspicious session.

****React Integration with Geolocation Features** **

The library’s component-based architecture makes it especially well-suited for geolocation features. React Native geolocation capabilities allow developers to seamlessly integrate location services across web and mobile applications without compromising user experience.

Besides, web browsers today allow access to geolocation APIs that React developers can leverage. For example, the HTML5 Geolocation API offers high-accuracy positioning that can be easily integrated into authentication workflows through React hooks and state management systems.

****Security Advantages in Practice****

Organisations implementing geolocation authentication report significant improvements in security metrics. A 2024 survey showed that 83% of companies today require multi-factor authentication, and adding location context further strengthens these protective measures.

**Key security benefits include:**

*   Automatic threat detection from unusual geographic locations.
*   Enhanced fraud prevention by identifying impossible travel patterns.
*   Improved incident response with precise location data for forensic analysis.
*   Strengthened compliance with regulatory requirements for access monitoring.
*   Reduced account takeover incidents through location-based anomaly detection.

These improvements translate to measurable business value, as the average cost of a data breach reached £3.58 million in 2024. So, most prevention investments are usually cost-effective.

****Technical Implementation Strategies****

The React user authentication flow can seamlessly incorporate location checks without disrupting the user experience for legitimate access attempts, but there are a few principles to bear in mind. 

****Privacy and User Consent Considerations****

Location data is highly sensitive personal information that requires explicit user consent coupled with careful handling. React applications must implement clear consent mechanisms and provide granular privacy controls that allow users to understand and control how their location data is used.

Modern browsers enforce strict permissions for geolocation access, requiring HTTPS connections and explicit user approval. React applications should also implement graceful fallbacks for users who decline location sharing while still maintaining baseline security measures.

****Advanced Security Patterns****

Beyond basic location verification, React localisation implementations can detect subtle behavioural patterns that indicate potential security threats. Machine learning algorithms can analyse location histories to identify abnormal access patterns that might otherwise appear legitimate.

Geographic velocity analysis is one example of a powerful technique. The idea is to calculate whether the time between login attempts from different locations is physically possible. This approach can instantly identify credential sharing or account compromise scenarios that traditional authentication methods might miss.

****Integration with Existing Security Infrastructure****

Geolocation authentication works best when integrated with comprehensive security frameworks rather than implemented in isolation. Modern React applications should combine location verification with other security measures, including device fingerprinting, behavioural analysis, and traditional multi-factor authentication methods.

Another important consideration is risk level analysis. An app that can differentiate between low-risk and high-risk scenarios can respond accordingly, for example, initiate standard authentication in the first instance, and require additional verification steps in the second case. 

****Takeaway on Performance & Usability****

Of course, modern React applications must balance security requirements with performance demands. Geolocation lookups should be optimised to minimise latency while providing accurate results. Caching strategies and intelligent data management can ensure that location-based authentication strengthens rather than degrades application performance.

Overall, cloud-based geolocation services offer scalable solutions that can handle high-volume authentication requests while providing consistent accuracy across global user bases. These services integrate seamlessly with React applications through standard API interfaces.

Why You Should Use Geolocation in Your React App’s Authentication Process

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.

A phishing campaign targeting JavaScript developers has led to the compromise of several popular npm packages, including eslint-config-prettier. The breach began with an attacker tricking a maintainer using a fake login page hosted on a lookalike domain, npnjs.com.

Once the attacker got hold of the maintainer’s npm token, they pushed malicious versions of key packages directly through the registry, completely bypassing the GitHub repositories.

According to Socket, a developer-first security platform, which first spotted the scam, four versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) were found to contain a script that executes on install, targeting Windows machines. The script attempts to launch a node-gyp.dll file using rundll32, which could allow the attacker to execute arbitrary code on affected systems. Security researchers assigned the issue a CVSS score of 7.5 and confirmed a new CVE (CVE-2025-54313) is being tracked.

Socket’s blog post shared with Hackread.com revealed that the attack went undetected for a while since there were no commits or pull requests in the GitHub repo linked to the new versions.

Instead, the attacker relied on their npm credentials to publish directly, avoiding detection until users started noticing suspicious activity. Other affected packages discovered by researchers included the following:

*   synckit: 0.11.9
*   @pkgr/core: 0.2.8
*   napi-postinstall: 0.3.1
*   eslint-plugin-prettier: 4.2.2 and 4.2.3

These packages are widely used in front-end and Node.js projects. Because many developers rely on automated tools like Dependabot or Renovate, compromised versions may have been pulled into projects without anyone noticing. Once installed, the payload could provide remote access to Windows machines running affected builds.

The phishing email used in the campaign (Image via Socket)

The good news is that the maintainer whose token was compromised acted quickly after learning of the breach. The malicious versions were deprecated and removed, credentials were rotated, and npm support was brought in to assist with the cleanup.

Socket has been monitoring the situation and continues to scan for other suspicious activity across the npm registry. Their tools flag any new versions with unexpected install scripts or binary payloads, which could help developers detect issues early before the malicious code spreads.

Nigel Douglas, Head of Developer Relations at Cloudsmith, commented on the wider implications. He pointed out that this is yet another example of how dependency chains can turn into attack vectors. “CI/CD pipelines pull in hundreds of transitive dependencies by default, each with its own maintainers, update cycles, and exposure history,” he said. “Without secure dependency retrieval processes, it only takes one upstream breach to cause chaos in production.”

Douglas also stressed that it’s unreasonable to expect developers to catch every vulnerability on their own. “If a single stolen maintainer token can push malicious code into one of the most widely used linting tools on npm, that should tell us something. You can’t fix this just by focusing on individual packages,” he added.

He called for stronger maintainer practices like scoped tokens and 2FA, along with registry-level safeguards and secure artifact management systems that support things like version immutability and trusted source verification.

Fake npm Website Used to Push Malware via Stolen Token

Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers…

Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers are already exploiting them in active campaigns.

The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are not present in SharePoint Online, but on-premises environments using SharePoint 2019 and the SharePoint Subscription Edition are directly at risk.

According to Microsoft’s updated guidance, fixes for SharePoint 2019 and Subscription Edition are now available and fully address both vulnerabilities. However, SharePoint 2016 customers are still waiting, as Microsoft says updates for that version are still in development. In the meantime, the company recommends that affected users apply existing patches, enable key protections, and prepare for additional updates.

The two vulnerabilities are dangerous because they allow attackers to execute code and plant web shells on vulnerable servers. Microsoft says these attacks have already been seen in the wild, and one clear sign of compromise is the presence of a suspicious file called spinstall0.aspx. Security analysts recommend checking SharePoint server directories for this file, as it often signals post-exploitation activity.

While fixes are available for some versions, Microsoft emphasises that patching alone is not enough. Customers should also rotate machine keys and restart IIS to fully fix the issue. These steps are particularly important for those running SharePoint Server 2019 and Subscription Edition, where patches are available today.

> Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should apply…
> 
> — Security Response (@msftsecresponse) July 21, 2025

To protect your system from exploitation, Microsoft is urging organisations to take a layered approach: update immediately, enable the Antimalware Scan Interface (AMSI), rotate machine keys, and deploy endpoint protection.

Microsoft Defender Antivirus and Defender for Endpoint are equipped to detect known behaviour tied to this threat, including specific malware signatures like HijackSharePointServer.A and SuspSignoutReq.A.

The company also recommends deploying Microsoft Defender for Endpoint or a similar threat detection tool, as it provides alerts that could flag exploitation attempts. These might show up in logs as unusual activity in w3wp.exe processes or encoded PowerShell commands tied to web shell deployment.

While Microsoft continues to support 2016 and 2019, older editions like SharePoint 2010 and 2013 are no longer eligible for security updates, exposing your system to further attacks. Therefore, if you’re still using older or unsupported versions of SharePoint, upgrade them to the latest.

Microsoft Confirms Hackers Exploiting SharePoint Flaws, Patch Now

A 72-hour sprint that produced working solutions for one of game development's hardest problems: making it accessible to non-programmers.

The game development industry has a fundamental accessibility problem. Creating a simple game requires knowledge of programming languages, asset creation tools, physics engines, and complex workflows that take years to master. GameForge AI, organized by UK-based Hackathon Raptors, challenged developers to solve this problem using AI in just 72 hours.

The results were remarkable. Following Hackathon Raptors‘ signature format, where participants tackle focused AI challenges over 72 hours, teams built functional tools that could generate playable games from text prompts, create 3D models through conversation, and produce game-ready character assets with built-in accessibility features.

Like their previous RetroAI Quest event that challenged developers to create AI-powered text adventures, GameForge AI pushed boundaries further by expanding beyond text into full game creation. These weren’t demos or mockups, they were deployed, and working systems were evaluated by Raptors’ distinctive two-tier judging process, which combined technical expertise with industry perspective.RetryClaude can make mistakes. Please double-check responses.

****The Distinguished Judging Panel****

The hackathon assembled industry professionals as judges, with five distinguished experts bringing diverse perspectives to the evaluation:

Subhash Bondhala, Network Security Engineer at Dominion Energy with over 11 years of experience protecting critical infrastructure, evaluated the security aspects of AI-powered game development tools. His network defense and data protection expertise proved crucial when assessing how these tools handle user data and prevent potential exploits.

“Security in AI game development isn’t optional when tools execute code based on natural language; the attack surface expands dramatically,” Bondhala noted during evaluations.

Santosh Bompally, Cloud Security Engineering Team Lead at Humana, brought his expertise in multi-cloud security and DevSecOps to assess the infrastructure scalability of submissions. With certifications including AWS Security Speciality and experience building secure systems across AWS, Azure, and GCP, Bompally focused on whether these tools could scale securely.

“The winning projects understood that democratizing game development means building infrastructure that can handle thousands of concurrent users while maintaining security,” he observed.

Denys Riabchenko, Senior Software Developer and Tech Lead at APARAVI, evaluated the projects’ frontend architecture and user experience aspects. With over 10 years of experience in JavaScript, TypeScript, and PHP development, Riabchenko assessed how teams built interfaces that could handle complex AI operations while remaining responsive. His experience leading development teams proved valuable in identifying sustainable architectural patterns.

Ananda Kanagaraj Sankar, Engineering Leader at Thumbtack with previous experience at Uber, brought a unique perspective from building marketplace systems and aviation platforms. Having founded and scaled engineering teams from 0 to 20 engineers at Uber Elevate, Sankar evaluated projects based on their potential to create ecosystems rather than just tools.

“The best submissions weren’t just building features, they were creating platforms that could support entire communities of game creators,” he explained.

Feride Osmanova, a Python Backend Developer at LOVAT COMPLIANCE LTD, assessed the submissions’ backend architecture and API design. With six years of experience building high-load tax automation platforms serving clients in over 47 countries, Osmanova focused on the reliability and efficiency of backend systems. Her expertise with the Django REST Framework and Celery helped identify which projects could handle production workloads.

****Technical Challenges and Solutions****

Creating games through AI requires solving multiple interconnected problems. Teams had to generate consistent visual assets, implement game logic ensuring playability, optimize real-time interaction performance, and create interfaces simple enough for non-technical users.

The winning projects each took different approaches to these challenges:

****First Place: Blender MCP Integration****

Solo developer Abdibrokhim created a Model Context Protocol (MCP) that connects Blender with AI language models. Instead of trying to generate entire games, this project focused on solving one specific problem exceptionally well: enabling 3D modeling through natural language.

                # Simplified example of MCP command translation
    class BlenderMCPServer:
        def translate_natural_language_to_blender(self, prompt):
            # Parse user intent
            intent = self.ai_model.analyze_intent(prompt)
            
            # Map to Blender operations
            if intent.action == "create":
                return self.generate_creation_commands(intent.object_type, intent.parameters)
            elif intent.action == "modify":
                return self.generate_modification_commands(intent.target, intent.changes)
            
        def generate_creation_commands(self, object_type, parameters):
            # Convert high-level request to Blender Python API calls
            if object_type == "character":
                return [
                    "bpy.ops.mesh.primitive_cube_add()",
                    f"bpy.ops.transform.resize(value=({parameters.width}, {parameters.depth}, {parameters.height}))",
                    "bpy.ops.object.modifier_add(type='SUBSURF')"

The system handles complex modeling workflows through conversation, maintaining context across multiple operations. Users can refine models iteratively using natural language rather than learning Blender’s interface.

****Second Place: Game Genie****

Team Game Coders built a complete game prototyping platform. Their approach was to create a pipeline that handles every step from concept to playable game:

**Pipeline Stage**

**Function**

**Technology**

Concept Parser

Interprets game ideas

GPT-4 API

Asset Generator

Creates consistent visuals

Stable Diffusion

Logic Builder

Implements game mechanics

Custom rule engine

Performance Optimizer

Ensures playability

WebAssembly

Export System

Multi-platform deployment

Unity WebGL

The system can generate a playable prototype in under 5 minutes. For example, input “a puzzle game where players guide water through pipes” produces a functional game with generated pipe graphics, physics simulation, and level progression.

****Third Place: AI Character Generator Canvas****

Team NPC focused on a specific but critical need: generating game-ready character assets. Their tool stands out for its attention to quality and accessibility:

    // Character generation with style consistency
    class CharacterGenerator {
        constructor() {
            this.styleCache = new Map();
            this.qualityPresets = {
                draft: { resolution: 512, iterations: 20 },
                production: { resolution: 2048, iterations: 50 }
            };
        }
        
        async generateCharacter(params) {
            // Ensure style consistency across generations
            const styleEmbedding = await this.getOrCreateStyleEmbedding(params.style);
            
            // Generate with progressive quality
            const draftResult = await this.generate(params, this.qualityPresets.draft);
            
            // Show draft immediately
            this.displayDraft(draftResult);
            
            // Generate final quality in background
            const finalResult = await this.generate(params, this.qualityPresets.production);
            
            return {
                draft: draftResult,
                final: finalResult,
                metadata: this.generateAssetMetadata(params)
            };
        }
    }

The tool supports 39 art styles and includes WCAG 2.2 accessibility compliance, making it usable by developers with disabilities, an often overlooked aspect of development tools.

****Infrastructure and Security Considerations****

Building tools that democratize game development requires a strong infrastructure capable of handling varied workloads while maintaining security. The judges’ diverse expertise highlighted different aspects of this challenge.

Bondhala’s security perspective emphasized the importance of sandboxing AI-generated code: “When you allow natural language to generate executable code, you need multiple layers of protection. The winning projects implemented proper isolation and validation.”

Bompally’s cloud architecture experience informed his assessment of scalability approaches: “These tools need to handle burst traffic when thousands of users decide to create games simultaneously. The best projects implemented auto-scaling and efficient resource management.”

The winning teams implemented several key patterns:

****Request Prioritization****

User-facing operations get priority over background processing. Game Genie queues asset generation requests and processes them based on user activity patterns.

****Intelligent Caching****

Generated assets are cached with semantic indexing. When users request “a medieval sword,” the system can return previously generated swords that match the style rather than developing new ones.

****Security Sandboxing****

All AI-generated code runs in isolated containers with limited permissions, preventing potential exploits from affecting the host system.

****Backend Architecture Excellence****

Osmanova’s evaluation focused on how teams structured their backend systems to handle the unique demands of AI-powered game generation.

“Building reliable backend systems for AI applications requires different patterns than traditional web services,” she explained. “You must handle long-running operations, manage queues efficiently, and ensure consistency across distributed components.”

The winning projects demonstrated sophisticated backend architectures:

    # Example from Game Genie's backend architecture
    class GameGenerationService:
        def __init__(self):
            self.task_queue = Celery()
            self.cache = Redis()
            self.storage = S3()
            
        @task_queue.task(bind=True, max_retries=3)
        def generate_game_async(self, task_id, game_spec):
            # Long-running game generation process
            try:
                # Check cache for similar games
                cached_assets = self.find_reusable_assets(game_spec)
                
                # Generate missing components
                new_assets = self.generate_new_assets(game_spec, cached_assets)
                
                # Compile game package
                game_package = self.compile_game(cached_assets, new_assets)
                
                # Store results
                self.storage.upload(f"games/{task_id}", game_package)
                
                return {"status": "complete", "url": self.get_download_url(task_id)}
                
            except Exception as e:
                # Retry with exponential backoff
                raise self.retry(countdown=2 ** self.request.retries)

****Frontend Performance and User Experience****

Riabchenko’s expertise in frontend development provided crucial insights into how teams managed the complexity of AI operations while maintaining responsive interfaces. “The challenge isn’t just making it work, it’s making it feel instant even when AI operations take seconds to complete,” he noted.

The Character Generator Canvas particularly impressed with its progressive loading approach:

    // Progressive UI updates during AI generation
    class ProgressiveRenderer {
        private renderStages = [
            { stage: 'outline', time: 500, quality: 0.2 },
            { stage: 'basic', time: 1500, quality: 0.5 },
            { stage: 'detailed', time: 3000, quality: 0.8 },
            { stage: 'final', time: 5000, quality: 1.0 }
        ];
        
        async renderProgressive(generationPromise: Promise<Asset>) {
            // Show placeholder immediately
            this.showPlaceholder();
            
            // Render progressive updates
            for (const { stage, time, quality } of this.renderStages) {
                setTimeout(() => {
                    this.renderQuality(stage, quality);
                }, time);
            }
            
            // Replace with final result when ready
            const finalAsset = await generationPromise;
            this.renderFinal(finalAsset);
        }
    }

****Building Sustainable Platforms****

Sankar’s experience building and scaling engineering teams at Uber provided a unique perspective on creating platforms rather than features. “The winning projects weren’t just solving immediate problems, they were building foundations for ecosystems,” he observed.

His evaluation highlighted projects that demonstrated:

*   Extensibility: Plugin architectures allowing third-party enhancements
*   Documentation: Comprehensive guides for both users and developers
*   API Design: Clean, versioned APIs that other developers could build upon
*   Community Features: Built-in sharing, collaboration, and feedback mechanisms

****Performance Metrics and Real-World Viability****

The judges evaluated performance across multiple dimensions:

    Performance Benchmarks (Average across winning projects):
    - Time to first playable result: 2-5 minutes
    - Asset generation speed: 3-10 seconds per asset
    - Memory usage: 200-500MB client-side
    - API response time: <2 seconds for 95% of requests
    - Concurrent user support: 100-1000 users per instance

These metrics demonstrate that AI game development tools can achieve performance suitable for production use, not just demonstrations.

****Security Implementation Details****

Bondhala’s security expertise highlighted several critical implementations in the winning projects:

Input Validation – All natural language inputs pass through multiple validation layers before execution 

Rate Limiting – API calls are throttled per user to prevent abuse 

Audit Logging – Every AI operation is logged for security analysis 

Data Isolation – User data is strictly separated, with no cross-contamination possible

****Technical Lessons and Best Practices****

The hackathon revealed several important principles for AI-assisted development:

1.  Focused Solutions Win – Projects that solved specific problems well outperformed those attempting to do everything.
2.  Security First – With AI executing code, security can’t be an afterthought; it must be built into the architecture.
3.  Performance Matters – AI operations must be fast enough to maintain creative flow, requiring clever caching and optimization.
4.  Progressive Enhancement – Show something immediately, even if imperfect, then improve quality in the background.
5.  Platform Thinking – Build APIs and extensibility from the start to enable ecosystem growth.

****Future Directions****

The GameForge AI projects point toward several future developments:

Collaborative AI – Multiple users working with AI to create games together in real-time 

Security Frameworks – Standardized security patterns for AI-powered development tools 

Performance Optimization – Specialized hardware and algorithms for faster AI game generation 

Community Platforms – Marketplaces for sharing AI-generated game assets and templates

****Conclusion****

GameForge AI 2025 demonstrated that AI can meaningfully democratize game development. The winning projects weren’t just technical demonstrations but practical tools addressing real needs with proper attention to security, scalability, and user experience.

The diverse expertise of the judging panel, from security and cloud architecture to frontend development and platform building, ensured that winning projects met professional standards across all dimensions. As these tools mature and reach wider audiences, they promise to expand the number of people who can participate in creating interactive experiences.

Tools that eliminate technical barriers while maintaining security and performance standards don’t just enable more creators, they enable entirely new forms of creative expression. The 72 hours of GameForge AI may ultimately be remembered when game development began transforming from a specialized skill to a universal creative medium.

_GameForge AI was organized by Hackathon Raptors, a UK Community Interest Company (15557917) focused on running impactful technical challenges. Learn more at raptors.dev_

GameForge AI Hackathon 2025: Building the Bridge Between Natural Language and Game Creation

Kaspersky's SecureList reveals GhostContainer, a new, highly customized backdoor targeting government and high-tech organizations in Asia via Exchange server vulnerabilities. Learn how this APT malware operates and how to stay protected.

Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration.

****Understanding GhostContainer****

GhostContainer is a multi-functional backdoor designed to evade detection by mimicking standard server components. It is delivered as a file named ‘App_Web_Container_1.dll’ and has a file size of 32.8 KB. Its core functionality is extended through additional downloadable modules. The researchers indicate that the attackers likely exploited a known, unpatched vulnerability (N-day vulnerability) in Exchange servers to gain initial access.

Source: SecureList

A key component of GhostContainer is the ‘Stub’ class, which acts as a command and control (C2) parser. It can execute shellcode, download files, run commands, and load extra .NET byte code. Particularly, the Stub class attempts to bypass Antimalware Scan Interface (AMSI) and Windows Event Log by overwriting specific addresses, further aiding in its stealth.

Researchers identified that data transferred between the attackers and the server is protected using AES encryption, with the key derived from the ASP.NET validation key. The malware’s capabilities include getting system architecture, running shell code, executing command lines, and managing files.

****Sophisticated Features and Open-Source Roots****

GhostContainer also includes a ‘virtual page injector’ class (App_Web_843e75cf5b63) that creates ghost pages to bypass file checks and load a .NET reflection loader. This loader then activates the web proxy class (App_Web_8c9b251fb5b3), a central element of the malware. This web proxy component possesses capabilities for web proxying, socket forwarding, and covert communication.

SecureList’s investigation also revealed that the attackers leveraged several open-source projects to build GhostContainer. For instance, the Stub class appears to be based on _ExchangeCmdPy.py_, an open-source tool for exploiting the Exchange vulnerability CVE-2020-0688.

Similarly, the virtual page injector utilizes code from ‘PageLoad_ghostfile.aspx,’ and the web proxy component is a customized version of ‘Neo-reGeorg,’ another open-source project. This blend of public tools with custom modifications showcases the attackers’ advanced skills.

****Targeting High-Value Organizations****

Telemetry data gathered by the researchers suggests that GhostContainer is part of an Advanced Persistent Threat (APT) campaign. The identified victims so far include a key government agency and a high-tech company, both situated in Asia.

The attackers do not rely on a traditional C2 infrastructure; instead, they control the compromised server by embedding commands within regular Exchange web requests. This approach makes it challenging to identify their specific IP addresses or domains.

The investigation into the full scope of these attack activities is ongoing. Meanwhile, organizations should act swiftly and immediately apply all available security updates and patches for Exchange servers and other software to close known vulnerabilities.

New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia

Trellix exposes SquidLoader malware targeting Hong Kong, Singapore, and Australia's financial service institutions. Learn about its advanced evasion tactics and stealthy attacks.

Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.

****A Covert Attack****

The attack begins with spear-phishing emails written in Mandarin, accurately crafted to impersonate financial institutions. These emails deliver a password-protected RAR archive containing a malicious executable. The email body itself is crucial to the deception, as it provides the password for the attachment. The subject line often poses as a “Registration Form for Bond Connect Investors Handling Foreign Exchange Business through Overseas Banks.”

The email claims to be from a financial representative, requesting the recipient to check and confirm the attached “scanned copy of the Bond Connect investor foreign exchange business registration form.” This file is cunningly disguised, not only mimicking a Microsoft Word document icon but also falsely adopting the file properties of a legitimate AMDRSServ.exe to bypass initial scrutiny.

Upon execution, SquidLoader unleashes a complex five-stage infection. It first unpacks its core payload, then initiates contact with a Command and Control (C2) server using a URL path that mimics legitimate Kubernetes services (e.g., /api/v1/namespaces/kube-system/services) to blend with normal network traffic.

This initial C2 communication transmits critical host information, including IP address, username, computer name, and Windows version, back to its operators. Finally, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a different address (e.g., 182.92.239.24), granting attackers persistent remote access.

Attack Chain (Source: Trellix)

****Evasive Tactics and Global Implications****

A key reason for SquidLoader’s danger is its extensive array of anti-analysis, anti-sandbox, and anti-debugging techniques. These include checking for specific analysis tools like IDA Pro (ida.exe) or Windbg (windbg.exe) and common sandbox usernames.

Notably, it employs a sophisticated threading trick involving long sleep durations and Asynchronous Procedure Calls (APCs) to detect and evade emulated environments. Should it detect any analysis attempt, the malware self-terminates. After its checks, it displays a deceptive pop-up message in Mandarin: “The file is corrupted and cannot be opened,” requiring user interaction that can thwart automated sandboxes.

“Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organisations,” Trellix researchers emphasised in their report.

The observed targeting in multiple countries highlights the global nature of this evolving threat, urging financial institutions worldwide, particularly in Hong Kong, Singapore, and Australia, to increase their security against such highly evasive adversaries.

SquidLoader Malware Campaign Hits Hong Kong Financial Firms

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about…

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about the shadow banking empire using fake apps, mule accounts, and illegal payment gateways that threaten India’s financial security.

CloudSEK has exposed a large-scale illegal financial operation in India, allegedly run by Chinese cyber syndicates, that’s laundering over $580 million (₹5,000 crores) annually. This shadow banking empire uses illegal payment gateways, fake mobile apps, and a network of mule accounts to move dirty money, posing a significant threat to India’s financial and national security.

Illegal Payment Gateway (Source: CloudSEK)

****How the Scheme Operates****

According to CloudSEK’s investigation, shared with Hackread.com, the operation involves recruiting Indian citizens as money mules. Often, vulnerable individuals like unemployed youth or students are targeted through deceptive earning apps distributed via Telegram and WhatsApp.

These apps trick users into giving up sensitive banking information or even intercepting One-Time Passwords (OTPs), effectively taking control of their accounts. In other cases, people are simply paid to open new bank accounts and hand over debit cards, cheque books, and linked SIM cards to the syndicate.

Once obtained, these mule accounts become part of an illegal payment gateway system controlled by Chinese operators. This system processes funds for various illicit activities, including illegal gambling, Ponzi schemes, predatory digital lending, “digital arrest” scams, and fake stock trading platforms. Unlike legitimate payment gateways regulated by the Reserve Bank of India (RBI), these operate entirely outside legal oversight.

The funds are then laundered through a complex, multi-layered process. Money is rapidly moved between numerous mule accounts to obscure its origin. Finally, the laundered cash is often converted into cryptocurrency, primarily Tether (USDT), moved through informal hawala networks, or disguised as legitimate international trade to exit India’s financial system.

Operation flow (Source: CloudSEK)

****Scale and Impact****

The sheer scale of this operation is staggering. CloudSEK’s analysis of just one such application revealed that around $20 million was laundered through nearly 398,675 transactions involving 34,299 mule bank accounts in a single year. Extrapolating these figures to the wider network suggests the annual laundering volume reaches up to approximately $585 million. The Indian Cybercrime Coordination Centre (I4C) advisory identified approximately 4,000 new mule accounts daily.

This illicit activity has severe consequences for the Indian economy. It funnels vast sums of untaxed wealth out of the economy, potentially weakening the Indian Rupee, and erodes public trust in digital payments. Indian citizens are victimised twice: first by the initial scam, and then by facing legal consequences for unknowingly participating as money mules.

Recent investigations by Indian law enforcement, such as the Hyderabad Police and the Enforcement Directorate (ED), have already uncovered similar large-scale money laundering operations linked to foreign nationals, freezing hundreds of millions of dollars.

“These illegal payment gateways are not just financial crimes; they’re a direct attack on India’s digital economy and citizen trust. Our research arms stakeholders with actionable intelligence to disrupt these networks and protect India’s financial sovereignty,” said Mayank Sahariya, Cyber Threat Analyst at CloudSEK.

Dismantling this shadow economy requires a strong, multi-dimensional approach. This includes enhanced AI-powered monitoring by financial institutions, stricter regulations for fintech companies, improved international cooperation among law enforcement, and widespread public awareness campaigns to educate citizens on these evolving threats and how to protect themselves.

Chinese Groups Launder $580M in India Using Fake Apps and Mule Accounts

PoisonSeed group tricks users into bypassing FIDO Keys by misusing QR code logins, highlighting new social engineering risk to secure MFA.

Security researchers at Expel have detailed a new phishing technique that sidesteps the protection offered by physical FIDO (Fast Identity Online) security keys. While the keys themselves remain uncompromised, attackers have figured out how to trick users into granting access by misusing a legitimate cross-device login feature.

The attackers didn’t need to break the FIDO security key itself. Instead, they relied on social engineering to get around it. They took advantage of the cross-device sign-in feature, which is meant to make FIDO more user-friendly, and used it against the victim.

****QR Code and Phishing Page****

It starts with the user visiting a fake login page and entering their credentials. The attacker uses those details to start a real login on the actual site, which then displays a QR code. The user sees that code and scans it with their MFA app, not realising they’ve just approved the attacker’s login.

The campaign was spotted during a phishing attack against an Expel customer. Victims were lured to a fake Okta login page that mimicked the company’s legitimate portal. Once users entered their credentials, the phishing site passed them to the real login system and requested a cross-device sign-in.

That system then displayed a QR code, which the phishing site captured and showed to the user. When scanned using their mobile MFA app, the user unknowingly approved the attacker’s session.

This approach bypasses the need for physical interaction with the FIDO key, which would normally be required to complete the login. It also shows how attackers continue to find new ways to work around even the most secure authentication systems, not by hacking the tech itself, but by exploiting the people using it.

****PoisonSeed****

According to Expel’s report shared with Hackread.com, the company suspects the group behind the attack is PoisonSeed, a known threat actor linked to phishing campaigns and cryptocurrency theft. Although the goal in this case was likely account access, the same technique could be applied to other types of phishing or data theft.

Expel also referenced a second incident where attackers used phishing to reset a user’s password and then registered their own FIDO key to the account. Unlike the QR code approach, this one didn’t rely on tricking the user further after the initial compromise. It was a direct takeover.

Attack flow (Via Expel)

So what can be done? Expel recommends closely reviewing authentication logs for unusual activity, like logins from unexpected locations or rapid registration of multiple FIDO keys. Limiting geographic sign-in permissions and requiring Bluetooth proximity for cross-device authentication are also effective steps to reduce risk.

J Stephen Kowski, Field CTO at SlashNext, weighed in by pointing out that this isn’t a glitch in the system, it’s a deliberate misuse of a feature. “The technique is clever because it exploits the legitimate cross-device sign-in feature that makes FIDO keys more user-friendly,” he said, adding that attackers are now working around strong authentication rather than trying to break it.

Source

HackRead