ESET has identified PromptLock, the first AI-powered ransomware, using OpenAI models to generate scripts that target Windows, Linux…

ESET has identified PromptLock, the first AI-powered ransomware, using OpenAI models to generate scripts that target Windows, Linux and macOS.

It was only a matter of time before artificial intelligence became a building block for cybercriminals. This week, researchers at ESET revealed what they are calling the first known AI-powered ransomware, a prototype dubbed PromptLock, which uses an open-weight AI model from OpenAI to generate malicious code on the fly.

Rather than carrying a static payload, PromptLock calls on the gpt-oss:20b model through the Ollama API, enabling it to write and execute Lua scripts directly on a compromised system. These scripts can scan directories, inspect files, exfiltrate selected data, and encrypt the results, all without the need for prepackaged binaries. That flexibility gives attackers a level of adaptability not commonly seen in traditional ransomware.

The malware is written in Golang, making it cross-platform, and ESET has already spotted both Windows and Linux samples uploaded to VirusTotal. Because Lua is lightweight and portable, it allows PromptLock to reach further than its usual victims and run on systems often neglected by ransomware operators, including macOS and consumer Linux devices.

Interestingly, researchers noted that while PromptLock can exfiltrate and encrypt files, but its ability to destroy data has not yet been implemented. This, along with several rough edges in the code, suggests that it is a proof-of-concept or work-in-progress rather than a live campaign targeting organisations.

This screenshot shared by ESET shows a list of functions inside the PromptLock ransomware code. Each entry is essentially a function name that reveals what the malware can do.

ESET’s findings add to worries that AI-driven malware could make cyberattacks faster and larger-scale. Just as machine learning has already been used to create more convincing phishing lures and deepfake content, models can also be adapted to handle tasks such as reconnaissance, persistence, or data theft. PromptLock shows that ransomware authors are already experimenting with this approach.

Commenting on the discovery, Nathan Webb, principal consultant at Acumen Cyber, explained why this development should not be dismissed as a simple lab experiment: “This is possibly the first instance of an AI-powered piece of ransomware observed in the wild. Rather than come with a payload, the malware uses ChatGPT to write Lua scripts on the fly, which gives it information about the local system and allows it to view files, exfiltrate data, and ultimately encrypt the system.”

“The use of Lua here suggests that attackers are trying to make the ransomware platform-agnostic, so that they can target a wider range of systems and environments, especially those not traditionally targeted due to their low market share, like Apple devices, and consumer Linux devices,” Nathan pointed out.

Webb also pointed out that defending against such threats will require new thinking around script interpreters and OS-level tools. Security vendors will need to improve detection mechanisms that can separate legitimate scripts from malicious ones, using their own machine learning models to deobfuscate and analyse behaviour in real time.

First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOS

Cybersecurity firm Netcraft has discovered a new task scam cluster that has stolen over $1 million in crypto.…

Cybersecurity firm Netcraft has discovered a new task scam cluster that has stolen over $1 million in crypto. The scammers use API-driven templates to impersonate brands like Delta Airlines, AMC, Universal Studios, Epic Records and more.

New research from Netcraft, shared with Hackread.com ahead of its publication, reveals how a single group of cybercriminals has built a network of fake websites that impersonate major companies, including Delta Airlines, to lure in victims. This is a highly organized scam where attackers are using a clever template to trick victims out of millions of dollars in cryptocurrency.

The scheme, known as a task scam, promises people a job as an online agent. For example, on a fake Delta site (DeltaAirlineiVIPcom), victims are told they can earn a commission by booking fake flights. But to start “working” and become a “VIP” agent, they first have to pay a fee by depositing cryptocurrency into a digital wallet. The minimum fee is around $100, but some victims are encouraged to invest as much as $50,000 to unlock higher-paying tasks.

Moreover, scammers lure victims with the promise of easy money, offering to pay a small commission, like $0.71 in USDT, for a seemingly low-cost flight, while the victims unknowingly send much larger sums.

Source: Netcraft

****The “Boxer” Behind the Fraud****

Netcraft researchers managed to link the scams after noticing something simple but effective. All of the scam websites were registered under the name Boxer from Dallas, US. This unique detail allowed the team to uncover hundreds of similar scam domains targeting other well-known brands like AMC Theatres, Universal Studios, and Epic Records.

Additionally, by analyzing transactions on the public blockchain, researchers were able to trace approximately $948,000 in USDC and $300,000 in ETH, alongside $114,000 in Bitcoin and $3,000 in USDT, to a single cryptocurrency wallet.

Furthermore, they found a configuration file, called a JSON file, which contained all the parameters for how the site works. This discovery highlighted the automated, template-based nature of the entire operation. The template can be easily adjusted to change the name of the company, the type of tasks, and the cryptocurrency wallet addresses, allowing the scam to adapt and expand quickly.

****A New Threat****

The findings show a new threat where scammers are no longer building one-off fake websites but are instead using automated tools. The scam websites were even hosted on Alibaba Cloud’s registrar service, a detail that helped researchers trace their technical tracks.

Netcraft’s team continues to monitor this scam network, which is still active. The firm warns that this kind of fraud is difficult to spot because it’s designed to look professional and targets people looking to earn extra money online.

Scammers Steal $1 Million in Crypto Using Fake Delta and AMC Sites

Farmers Insurance reports a breach affecting 1.1 million customers. Learn how the attack, linked to groups ShinyHunters and…

Farmers Insurance reports a breach affecting 1.1 million customers. Learn how the attack, linked to groups ShinyHunters and Scattered Spider, is part of a wider trend impacting companies via Salesforce.

Farmers Insurance has disclosed a significant data breach that impacted more than 1.1 million customers. The company confirmed that a third-party vendor was the target of a cyberattack, which resulted in the theft of sensitive personal information. Although the vendor’s name wasn’t released, several reports are connecting this incident to a larger series of cyberattacks against companies using the Salesforce customer relationship management platform.

Current status of the company’s website (Image credit: Hackread.com)

Farmers Insurance, a part of the Zurich Insurance Group, first learned of the unauthorized access on May 30, 2025, when the vendor detected suspicious activity. The compromised data included names, addresses, dates of birth, driver’s license numbers, and in some cases, the last four digits of Social Security numbers.

The breach is reported to have affected around 1,111,386 people across 10 states, including California, Washington D.C., Iowa, Maryland, Massachusetts, New York, New Mexico, North Carolina, Oregon, and Rhode Island. After an investigation, the company began sending notifications to affected individuals on August 22, 2025, and is offering two years of identity theft protection services at no cost.

This incident is part of a series of cyberattacks that have recently targeted the insurance industry and other businesses. Multiple outlets have linked the breach to a broad social engineering campaign related to Salesforce. This type of attack often involves hackers using deceptive phone calls, or “vishing,” to trick employees into giving them unauthorized access.

Cybersecurity firms, including Google’s Mandiant, have attributed some of the recent attacks on the insurance sector to a group known as Scattered Spider. However, the cybercrime group ShinyHunters has also claimed responsibility for the data theft, stating that they and Scattered Spider work together. These groups have reportedly been linked to several major incidents that have affected well-known companies in various industries, including Cisco and Allianz Life.

According to the group, Scattered Spider provides the initial access to a company’s systems, while ShinyHunters handles the exfiltration of stolen data and extortion demands. This trend is not isolated to the insurance sector.

The luxury brand Chanel recently announced that its own US database, which was part of a Salesforce environment, was breached.  Google also recently confirmed that one of its internal databases, which also used Salesforce, was breached by ShinyHunters in June.

These incidents emphasise the growing security concerns for all businesses that use the Salesforce platform and are targeted by these sophisticated social engineering tactics.

_“_With the supply chain now a growing target for cybercriminals, organizations that provide services to large enterprises – and handle regulated sensitive data on their behalf – must ensure appropriate security controls are in place to protect that data from threats,_“_ said Piyush Pandey, CEO at Pathlock.

_“_One of the key elements to address this is to implement robust access governance, including the ability to detect unauthorized access in real time – so that malicious activity can be identified and shut down before any data is exfiltrated,_“_ he advised.

ShinyHunters and Scattered Spider Linked to Farmers Insurance Data Breach

A critical vulnerability (CVE-2025-9074) in Docker Desktop for Windows and macOS was fixed. The flaw allowed a malicious…

A critical vulnerability (CVE-2025-9074) in Docker Desktop for Windows and macOS was fixed. The flaw allowed a malicious container to escape and gain administrator access to the host computer.

A security flaw in Docker Desktop, a popular application for developers, has been fixed after it was found to allow attackers to break out of isolated containers and take full control of a computer. This vulnerability, officially known as CVE-2025-9074 with a critical score of 9.3 out of 10, impacts both Windows and macOS versions of the software.

The flaw, which was patched in Docker Desktop version 4.44.3 on August 20, 2025, allows a malicious program running inside a container to get unauthorised access to the main computer. For your information, containers are isolated environments that keep applications separate from the host system, but this security issue bypassed that protection.

****A Flaw in the System****

The problem was that the Docker Engine’s internal communication system, a type of web address known as an HTTP API, was exposed without any security checks. This meant that a container with malicious code could connect to the API, create a new container with special “privileged” powers, and then access the host computer’s files. The attacker could then modify the system to gain administrator-level control. This is what’s known as a “container escape” or “container breakout” vulnerability.

The vulnerability was so severe that it worked even if the user had turned on Docker’s Enhanced Container Isolation (ECI) feature, which is designed to prevent such attacks. On Windows, an attacker could even use this flaw to overwrite important system files and take over the entire computer.

****The Fix and Recommendations****

Docker quickly released a patch to fix the issue in version 4.44.3. The company stated that the vulnerability was resolved, preventing a malicious container from accessing the Docker Engine to launch other containers.

This incident makes it critical for anyone using Docker Desktop to remain vigilant. To stay secure, first, update all your software, including Docker Desktop to version 4.44.3. Second, harden your settings by avoiding overly permissive configurations, such as the –privileged command, and by restricting what containers can access. Finally, continuously monitor your system for any suspicious activity, such as unusual resource usage, to detect malicious programs.

_“_Docker Desktop is a very useful tool when it comes to running isolated environments and applications without touching the host system and this vulnerability essentially breaches that boundary and lets a malicious user explore the host file system which is supposed to be out of bounds for the container,_“_ said Ms. Nivedita Murthy, Senior Staff Consultantat Black Duck, a Burlington, Massachusetts-based provider of application security solutions:.

_“_The developer community heavily uses Docker Desktop on their systems, which would primarily be either Windows or, in some cases, Mac systems as well,_“_ she pointed out. _“_IT teams should push for updates and sound an alert to all users to upgrade immediately. They should also proactively search the organisation’s assets for any installed versions of the software and either remove or upgrade them as needed to ensure organisation deliver development velocity with trust,” Nivedita advised.

Docker Desktop Vulnerability Allowed Host Takeover on Windows, macOS

A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed…

A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed MFA using stolen OAuth tokens and what organizations can do to secure non-human identities.

A recent advisory issued by the Google Threat Intelligence Group (GTIG) and Mandiant has revealed a widespread data theft campaign targeting Salesforce. The campaign, which took place from as early as August 8 through at least August 18, 2025, was carried out by a threat actor known as UNC6395.

****Bypassing Security with a Digital Key****

As per GTIG’s advisory, in this case, the attackers didn’t exploit a vulnerability in the core Salesforce platform; instead, they compromised OAuth tokens from the Salesloft Drift third-party application.

For your information, OAuth tokens are like a special digital key that grants access to a user’s account without needing a password. Because the attackers abused these non-human identities (NHIs), they could completely bypass traditional security measures like Multi-Factor Authentication (MFA), which protects against simple password theft.

Once inside, UNC6395 systematically exported large volumes of data from numerous corporate Salesforce accounts. Their primary goal was to harvest credentials and search for high-value “secrets” that could be used for further attacks.

The threat actor specifically targeted data from customer accounts, users, and opportunities, looking for sensitive information such as AWS access keys and Snowflake tokens.

The advisory noted that Google Cloud customers were not directly impacted by this campaign.

****Rapid Response****

The attackers showed an awareness of security, deleting their query jobs to cover their tracks. However, their activity was still logged, providing a trail for security teams to follow.

In a swift response, Salesloft, in collaboration with Salesforce, revoked all active access tokens for the Drift app on August 20, 2025. Also, Salesforce temporarily removed the Drift application from its AppExchange platform while the investigation continues.

Both companies and GTIG have notified the organizations affected by the breach.

Reflecting upon this incident, Astrix Security shared its observations in a separate blog post, revealing that exploiting NHIs is a growing trend for attackers because these identities are persistent and often have high-level privileges.

Astrix dubs this campaign a textbook example of this trend, where attackers gain a direct, trusted path to exfiltrate data and hunt for even more high-value NHIs, like cloud infrastructure keys.

Therefore, organizations must adopt proactive security measures. GTIG suggests hardening access controls by restricting Connected App scopes, searching for exposed secrets within their Salesforce data, rotate compromised credentials, checking for specific IP addresses/User-Agent strings, and enforcing IP restrictions to limit future risk.

Jonathan Sander, Field CTO at Astrix Security, stated in a comment shared with Hackread.com that the breach was a “classic NHI attack.” He explained that attackers steal things that “humans won’t notice” and operate in the shadows to steal more and more.

“Sadly, most of the time what we see is that people don’t know what they don’t know about their NHIs,” he said, highlighting that many organizations have not even created a basic inventory of these non-human identities.

Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach

Zscaler reports 77 Android apps on Google Play with 19 million installs spread malware, hitting 831 banks and…

Zscaler reports 77 Android apps on Google Play with 19 million installs spread malware, hitting 831 banks and exposing users to fraud and theft.

A new investigation by Zscaler’s ThreatLabz team has revealed that 77 malicious apps with over 19 million installs were delivering different malware families through the official Google Play Store.

The research focused on a new infection wave of the Anatsa (aka TeaBot) banking trojan, a harmful program first identified in 2020 that has evolved into a more dangerous and sophisticated threat.

The latest Anatsa variant has dramatically expanded its reach, now targeting over 831 financial institutions worldwide from the previous count of 650. The malware’s operators have also included new regions like Germany and South Korea, in addition to popular cryptocurrency platforms.

Many of the decoy applications, which were designed to look like harmless document readers, had individually racked up more than 50,000 downloads, demonstrating the wide reach of the campaign.

Anatsa installer behaviour as per anti-analysis checks results (Source: Zscaler)

The malware operators, reportedly, use an app named ‘Document Reader – File Manager’ as a decoy, which only downloads the malicious Anatsa payload after installation to evade Google’s code review.

Further research revealed that the apps downloaded from the official store are initially clean and function as promised. However, once installed, the app quietly downloads the Anatsa malware disguised as a necessary update. By tricking users into enabling Android’s Accessibility Services, the malware can automate its malicious actions.

Once it has control, the malware steals financial information, monitors keystrokes and facilitates fraudulent transactions by displaying fake login pages that mimic the banking or financial apps on a user’s device. When a user tries to log in, the information is sent directly to the attackers.

The malware can also evade security analysis by making its code difficult to read and by checking if it is being run in a testing environment. This includes using Data Encryption Standard (DES) runtime decryption and performing emulation checks to bypass security tools. It uses a corrupted ZIP archive to hide a crucial malicious file, making it difficult for standard analysis tools to detect.

Zscaler’s investigation found that while the majority of malicious apps contained adware, the most frequently found Android malware was Joker, present in almost a quarter of the analysed apps. This type of malware is known for its ability to steal contacts and device information, take screenshots, make calls, and even read and send text messages to subscribe users to premium services without their consent.

A smaller group of apps contained “maskware,” a type of malware that functions as a legitimate app while conducting malicious activities in the background, such as stealing credentials and personal data like location and SMS messages. A Joker malware variant called Harly was also found, which avoids detection during the review process by having its malicious payload hidden deep within the code of an otherwise legitimate-looking app.

Source: Zscaler

As threats like this continue to expand and spread, they pose a growing risk to personal privacy, financial systems, and private companies alike.

“Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application,” the research concludes.

****An Expert’s View: Reactive Defences and New Threats****

“Zscaler Threat Labs’ discovery is a strong reminder that the security posture of official app stores like the Google Play Store is largely reactive,” said Mayank Kumar, Founding AI Engineer at DeepTempo. He noted that by the time these apps are removed, a vast number of users, in this case 19 million, are already compromised.

Kumar explained that attackers are becoming more creative, using tactics such as embedding their code deep within an app’s core to appear benign during the review process. He cited the Harly variant as an example, noting that it uses layers of obfuscation to bypass security checks.

“With the advent of AI, it will become even easier for threat actors to design the multi-stage payloads and advanced obfuscation needed to defeat the scanning and signature-based detection systems that form the core of app store defences,” he added.

77 Malicious Android Apps With 19M Downloads Targeted 831 Banks Worldwide

Incogni finds top foreign apps downloaded in the US harvest names, locations, and emails, sharing them with third parties for ads and profiling.

A new study by the data privacy firm Incogni, shared with Hackread.com, has revealed that a majority of the most-downloaded foreign apps in the US are still aggressively collecting and sharing user data.

The research focused on the ten most popular applications from outside the country and found that over half of them are owned by Chinese companies.

The study, published on August 26, 2025, shows just how dominant these apps have become. According to the findings, the apps studied have been downloaded an estimated 1 billion times in the US, and 755 million of those downloads are from Chinese-owned apps alone.

Incogni’s researchers found that Chinese apps are particularly “data-hungry.” On average, they collect 18 different types of data from each American user and share around six of those data types with other companies.

****TikTok, Alibaba, Temu and More…****

The report highlights TikTok as the biggest concern, as it was found to collect 24 types of data, including sensitive information like users’ names, home addresses, and phone numbers.

Other popular apps also showed concerning practices. The e-commerce giant Alibaba can access user photos, videos, and documents, while Temu collects location data and a list of installed apps.

Shein was noted for a different, yet equally alarming, pattern, sharing an astonishing 12 of the 17 types of data it collects. Other apps, including AliExpress and the Cyprus-based app ABPV, also share users’ approximate locations.

The study also included DramaBox, Telegram, and Talkie, with most apps in the top 10 collecting an average of 15 data types and sharing 5 of those types. The graph below provides a visual breakdown of the data types collected and shared by the most popular foreign apps.

As evident, Alibaba, AliExpress, and ABPV (America’s best pics, vids) collect or share a user’s approximate and precise location. Similarly, AliExpress and DramaBox, collect purchase history, and both Alibaba and Shein collect and share users’ email addresses and names for advertising.

Source: Incogni

****Targeted Advertising****

The report also explains that this data is often used for targeted advertising. Companies use this information to create detailed profiles of users to influence their buying habits, and in some cases, even personalize prices, which is a major departure from the standard pricing models most people are used to. These apps can even share user emails with third parties, contributing to a rise in unwanted spam.

“Many of these apps are quietly collecting and sharing personal information like names, addresses, and approximate locations, leaving users extremely vulnerable to third-party breaches,” Incogni’s Head, Darius Belejevas. “People deserve to know how and where their information is being used, along with ways to manage or prevent that use,” Belejevas argued.

The study warns that this widespread data collection is not just a privacy issue but also a national security risk, as some foreign governments have been linked to similar data thefts in the past.

Study Reveals TikTok, Alibaba, Temu Collect Extensive User Data in America

Menlo Park, United States, 26th August 2025, CyberNewsWire

**Menlo Park, United States, August 26th, 2025, CyberNewsWire**

**AccuKnox,** a leader in Zero Trust Kubernetes and cloud-native security solutions, has been issued a patent by the U.S. Patent and Trademark Office for the breakthrough technology in Runtime Security of Kernel-Level Events. 

This innovation delivers **real-time detection, prevention, and remediation** of anomalous kernel activity. The patented solution improves system strength by constantly watching kernel-level events, linking them to security rules, and automatically taking protective steps without slowing down performance. This technology addresses **critical security gaps** in cloud workloads, containers, and edge devices, helping organizations meet stringent compliance and operational requirements.

**What is unique about this innovation?**

These key inventions and innovations in this patent surround highly efficient and effective in-line, run-time security to prevent advanced zero-day attacks like ransomware, cryptominer attacks, etc. The patent entails the following:

1.  **Enhanced** **eBPF** **Capabilities—**Leverages the expanded instruction count in newer kernels (≥5.4) for better in-kernel aggregation of events.
2.  **Context Switch Reduction—**Performs in-kernel aggregation to avoid shipping every event to user space, cutting context switching by **up to 80%.**
3.  **Fidelity Preservation –** Aggregates events without sacrificing telemetry accuracy.
4.  **Advanced Correlation —** handles the spatial and temporal correlation of events within the kernel for in-kernel decision-making.

**Quotes from Key Stakeholders**

> “This patent marks a major milestone for AccuKnox and validates the unique security capabilities we’ve developed to protect organizations against advanced runtime threats. It strengthens our intellectual property portfolio and enables our customers to defend their most sensitive workloads with unprecedented precision and speed.” – Nat Natraj, CEO & Co-Founder, AccuKnox

> “Our industry has worked relentlessly to push the boundaries of what’s possible in runtime security.” – James Berthoty, CEO & Industry Analyst, Latio

> “This patent reflects our deep technical expertise in leveraging eBPF for real-time, high-fidelity security at the kernel level —protecting modern workloads with unmatched speed and efficiency.” – Rahul Jadhav, Co-Founder & CTO, AccuKnox

> “This is a seminal invention that vastly enhances the state of the art in runtime security. Run-time container security and, in general, Zero Trust security were great concepts, but were difficult to operationalize at scale. I commend AccuKnox for its innovations and inventions, and this patent award is apt recognition.” – Dr. Ed Amoroso, Managing Director, TAG Infosphere, and Former CISO, AT&T

**About AccuKnox**

AccuKnox provides a Zero Trust Code to the Cognition CNAPP Security platform. AccuKnox is the industry’s only platform that secures all public clouds and all private clouds; modern workloads like Kubernetes, IAC, AI/LLM, and Edge/IoT; and traditional workloads like virtual machines and bare metal. AccuKnox is funded by leading security investors, including National Grid Partners, MDSV, Avanta Venture Partners, Dolby Family Ventures, DreamIT Ventures, 5G Open Innovation Lab, and Seedop. AccuKnox was formed in partnership with SRI International (previously Stanford Research Institute) and has seminal patents on different aspects of Zero Trust security. https://accuknox.com/

**Media Contact:**

Syed Hadi \[email protected\] www.accuknox.com 

**Contact**

**PMM**  
**Syed Hadi**  
**\[email protected\]**

AccuKnox Awarded Patent for Runtime Security of Kernel Events

Silver Spring, USA / Maryland, 26th August 2025, CyberNewsWire

**Silver Spring, USA / Maryland, August 26th, 2025, CyberNewsWire**

Aembit, the workload identity and access management (IAM) company, today announced new capabilities for GitLab designed to reduce the security risks of long-lived personal access tokens (PATs) and other secrets needed to automate software delivery, while making it easier to deploy and manage pipelines.

With the introduction of Credential Lifecycle Management and the availability of Aembit Edge as a native GitLab integration, Aembit replaces static credentials with short-lived, policy-controlled access that is created only when required and revoked automatically. This reduces the risk of misuse while giving development teams a simpler, more reliable way to work inside GitLab.

GitLab is one of the most widely used platforms for building and deploying software, enabling the automation that moves code from development into production. Its popularity has also made it a frequent target: long-lived credentials and unmanaged service accounts have been exposed in several high-profile breaches, including incidents at Pearson and the Internet Archive, leading to stolen data and costly downtime.

Aembit Credential Lifecycle Management addresses these risks directly. Instead of PATs that linger for months or years, Aembit issues short-lived credentials only when a pipeline job requires them, then automatically expires them. Access is tied to cryptographically verifiable workload identity and multifactor authentication (MFA) checks and controlled by a policy enforced at runtime, giving organizations both stronger protection and clear audit records of which workloads accessed which resources and when. Meanwhile, related service accounts are created and removed on demand, ensuring that no unused accounts remain active.

Aembit is now listed in the GitLab CI/CD Component Catalog. This makes Aembit directly available inside GitLab, allowing teams to add it to their pipelines without extra configuration or manual setup. This native integration simplifies the process of connecting pipelines to databases, APIs, and cloud services, reducing reliance on embedded secrets and manual credential handling.

> “Developers want to move quickly without worrying about where a credential is stored or whether it needs to be rotated,” said Kevin Sapp, co-founder and CTO of Aembit. “Security teams, on the other hand, want assurance that nothing is left exposed. What we’ve built for GitLab satisfies both needs at once: developers get seamless access in their pipelines, and security leaders get the confidence that access is temporary, accountable, and safe.”

Organizations, such as Snowflake, that have adopted the Aembit Workload IAM Platform report meaningful reductions in the time spent managing credentials and fewer disruptions following security incidents. Security teams value the ability to enforce least privilege automatically, while developers appreciate that tokens are provisioned and revoked transparently without additional coding or manual steps. By embedding these controls into GitLab, Aembit allows enterprises to strengthen security while maintaining the speed and consistency expected of modern software pipelines.

The scale of the issue is significant. Non-human identities already outnumber human ones by at least 45 to 1, and credential abuse remains a leading attack vector according to the 2025 Verizon Data Breach Investigations Report. The rise of agentic AI is adding even more autonomous workloads, increasing the demand for secure, short-term access controls. At the same time, engineering teams lose hours each week to manual credential rotation, a process that cannot keep pace with sprawling pipelines and multicloud environments.

Both GitLab Credential Lifecycle Management and the Aembit Edge component are available immediately. Customers can begin with the Aembit Starter Tier and expand into enterprise-grade policy enforcement, conditional access, and reporting as requirements mature.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like AI agents, applications, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit aembit.io and follow the company on LinkedIn.

**Contact**

**CMO**  
**Apurva Dave**  
**Aembit**  
**\[email protected\]**

Aembit Extends Secretless CI/CD with Credential Lifecycle Management for GitLab

Zimperium’s research reveals the Hook Android malware is now a hybrid threat, using ransomware and spyware to steal…

Zimperium’s research reveals the Hook Android malware is now a hybrid threat, using ransomware and spyware to steal data via phishing and GitHub distribution.

Mobile security firm Zimperium has issued a new alert about a sophisticated evolution in mobile threats. Zimperium’s zLabs research team recently discovered a new variant of a harmful Android program known as the Hook banking trojan.

This new research was shared with Hackread.com, highlighting a major escalation in danger for mobile users. As per Zimperium’s findings, once limited to stealing banking information, Hook has evolved into a hybrid tool combining ransomware, spyware, and traditional bank-hacking capabilities.

Dubbed Hook Version 3, this new variant now supports an alarming 107 remote commands, with 38 new additions in this update. This gives attackers an unprecedented level of control over a victim’s mobile device.

The malware is highly effective at tricking its victims. By luring users into enabling Android’s Accessibility Services, a feature designed to help people with disabilities, the malware can automate its malicious actions.

Malware requesting accessibility services (Source: Zimperium)

Moreover, it uses fake, transparent screens to capture PINs and other private details. For example, it can display a deceptive interface over the device’s lock screen, tricking the user into entering their security PIN or pattern. It can even mimic legitimate apps, such as a fake Google Pay screen to steal credit card details or a fake NFC prompt to capture sensitive data.

It must be noted that while the malware can display a fake NFC prompt, the source code indicates this is a future capability, showing how the attackers are still actively building and expanding the malware.

Other than stealing information, Hook can also stream a device’s activity in real time, giving the attacker a live view of everything the user is doing. One of the most dangerous new features is a screen-locking ability that displays a full-screen WARNING message demanding a ransom payment. The wallet address and ransom amount for this message are dynamically received from a remote server, making the attack highly adaptable.

Fake NFC overlay and full-screen note (Source: Zimperium)

It is worth noting that although live streaming device activity is not entirely new, it is still rare compared to more common malware features. Recently, Doctor Web researchers spotted an Android malware called Android.Backdoor.916.origin, which was targeting Russian devices. It is capable of live-streaming audio from the microphone and broadcasting video from the camera.

On the other hand, according to Zimperium’s report, Hook malware is being distributed on a large scale. While it still spreads through fake websites, the research shows that hackers are also using public platforms like GitHub to host and share the malicious files. This makes it easier for criminals to distribute the malware, and researchers have observed other families of malware like Ermac and Brokewell using the same technique.

The malware’s developers have even included hints of future capabilities, such as using platforms like RabbitMQ and Telegram for more strong communication. As threats like this continue to spread, they pose a growing risk to personal privacy, financial systems, and private companies alike.

Zimperium’s findings show that companies and individuals should take mobile security seriously since mobile devices are now being targeted for more than login credentials or banking information.

Source

HackRead