Discover why reliability, scalability, and local support matter more than cost when choosing Australian web hosting for your tech stack.

****Key Highlights****

*   Cheap hosting costs more long-term through downtime and lost trust.
*   Reliability, not price, should drive hosting decisions.
*   Australian web hosting offers faster speeds, better compliance, and local support.
*   Scalable, secure infrastructure protects both performance and growth.
*   The best hosts act as partners, not just service providers.

****The Real Cost of Cheap Hosting****

For most businesses, web hosting starts as a line on a budget spreadsheet, something to tick off fast and cheap. After all, if the site is online, what more could you need? But anyone who’s managed production infrastructure knows the reality: what you save on cheap hosting, you’ll often spend tenfold fixing.

Downtime, lag, security lapses, and poor support aren’t just technical issues; they’re business risks. A single hour of downtime can cost a growing SaaS thousands in lost transactions or customer trust. For eCommerce, that can mean abandoned carts and frustrated users who never return.

Price is easy to compare, but it’s the least reliable way to judge a hosting provider. The real difference shows up in the stability of your systems, the quality of support, and how well your infrastructure grows with your business. Cheap hosting isn’t a bargain if it keeps your team in damage control.

Smart tech leaders have learned to think of hosting not as an expense, but as an investment in uptime, performance, and peace of mind.

****Why Reliability Comes Before Price****

When a platform goes offline, the cost isn’t measured just in lost sales; it’s in lost time, lost focus, and lost credibility. Reliable hosting ensures those moments don’t happen.

Uptime guarantees can look impressive, but 99% uptime still allows for nearly four days of downtime per year. For developers deploying live applications or running client projects, that’s unacceptable. The difference between “good enough” and “enterprise-grade” is often a fraction of a percentage point, but that fraction represents real-world hours of lost access.

Reliability also means consistent performance. High latency and slow load times frustrate users and strain APIs, particularly for data-heavy products. A stable, well-managed hosting environment protects your customer experience as much as your backend systems.

****The Advantage of Local Infrastructure****

Location matters more than many teams realise. Hosting close to your core users improves speed, reliability, and compliance wherever that may be.

Choosing a provider with data centres in your target region ensures your applications load faster and your customer data stays compliant with local laws. For example, according to Ventraip, an Australian web hosting provider, businesses that use Australian hosting see lower latency for users across the region and simpler compliance with Australian data protection standards. The same idea applies anywhere; proximity supports performance.  

Local support also makes a practical difference. When your infrastructure partner operates within your time zone and understands your market, issues get resolved faster, and communication feels easier.

Wherever your business is based, choosing hosting that’s physically and operationally close to your audience is one of the simplest ways to build trust and deliver a smoother experience.

****Scalability and Future-Proofing****

What works for a small project today might collapse under tomorrow’s traffic. Scalable hosting ensures you can grow without replatforming every time your usage spikes.

Look for providers that offer flexible resource allocation, easy upgrades to RAM, storage, and CPU power as your business evolves. Features like load balancing, CDN integration, and container-ready environments help developers build resilient systems from the start.

The goal is continuity. Your infrastructure should expand as your business does, with minimal downtime or disruption. Migrating away from a limited host can be expensive and stressful, so choosing scalability early is an insurance policy for growth.

****Security and Compliance as Non-Negotiables****

In today’s threat landscape, security is not optional. From DDoS protection to automated backups, the best hosting providers treat safety as part of their DNA, not an add-on.

SSL management, malware scanning, and patching schedules should be automated and transparent. You should always know what protections are in place and how your provider handles vulnerabilities.

For Australian companies, compliance is another layer. Data residency laws, GDPR, and ISO standards all require that customer data be handled and stored responsibly. Reputable local hosts make this easy to maintain, with infrastructure that meets both security and legal standards out of the box.

If your provider can’t explain their compliance processes in plain language, they’re not a partner, they’re a risk.

****The Human Factor: Support That Understands Tech****

When something goes wrong, and eventually, it will support makes all the difference. The best hosts don’t hide behind ticket systems or automated chatbots. They employ technical experts who can actually diagnose and fix problems.

For tech teams, that means speaking to someone who understands frameworks, deployments, and APIs, not just password resets. Local support teams also bring speed and empathy; they know your context, your time zone, and your urgency.

Good support doesn’t just solve issues faster; it builds confidence in your infrastructure. And that confidence lets your team focus on development, not firefighting.

****Making Hosting a Strategic Decision****

Hosting isn’t just a technical choice, it’s a strategic one. The provider you select determines how reliable, scalable, and secure your operations will be for years to come.

Tech teams that treat hosting as a long-term infrastructure investment, not a commodity purchase, end up saving both time and money. The difference between a $10-a-month plan and a well-supported, high-performance environment is the difference between constant fixes and confident growth.

When it comes to digital infrastructure, the cheapest option is rarely the smartest. The right hosting partner doesn’t just keep your systems online; they keep your business moving forward.

(Image by William from Pixabay)

Thinking Beyond Price: What Tech Teams Should Look for in a Hosting Provider

AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution.

AI security firm AISLE recently discovered a serious vulnerability in the Firefox web browser that went unnoticed for six months. This flaw could have let attackers run their own instructions on a user’s computer, potentially putting over 180 million users at risk.

****The Cause: A Tiny Coding Error****

The flaw, tracked as CVE-2025-13016, was a subtle coding mistake that existed in a key part of Firefox’s engine that handles WebAssembly (Wasm). WebAssembly is basically a type of code that runs very quickly in your browser, typically used for games and complex web applications.

According to AISLE, the problem was a stack buffer overflow within a memory feature called Garbage Collection (GC). For your information, GC is a mechanism that automatically frees up unused computer memory.

The error was a single line of incorrect math involving memory pointers (like address tags). This allowed too much data to be written into a temporary spot, corrupting other memory.

Further probing revealed two specific issues: first, the code was told to copy twice the intended data, causing an overflow, and second, it started copying from the wrong memory spot, grabbing administrative data instead of the actual contents. This type of memory corruption is very dangerous because, with the right trick, an attacker could hijack the program’s normal flow and potentially execute arbitrary code.

The vulnerable code was introduced on April 7, 2025, and remained in multiple versions, including Firefox 143 through early 145 and ESR versions before 140.5. It is worth noting that even a test designed for this code path failed to catch the issue.

The problematic code (Source: AISLE)

****Quick Discovery and Fix****

The flaw, as per AISLE’s blog post, was discovered on October 2, 2025. The company’s researcher, Igor Morgenstern, immediately reported the issue to the Mozilla security team. Their response was fast; the team confirmed the problem on October 14, 2025. Mozilla’s Yury Delendik then developed the fix and put the changes in place the very next day. This rapid response led to a public patch release on November 11, 2025.

The vulnerability was rated as High severity (CVSS score 7.5). To exploit it, an attacker would need a user to visit a malicious webpage at a very specific moment, such as when the browser is dealing with high memory pressure.

The flaw affected all platforms, including Windows, macOS, Linux, and Android, but older versions like Firefox ESR 115 and all versions prior to 143 were not vulnerable.

Fortunately, the fix is now available in Firefox 145 and Firefox ESR 140.5 and later. Major Linux systems (like Ubuntu, Debian, and Fedora) rapidly incorporated this update, with Arch Linux updating within 24 hours of release. Users are strongly advised to update their Firefox browser immediately to the latest version to ensure they are protected.

Mozilla Foundation’s security advisory on this is available here:

Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users

X (formerly known as Twitter) has added a new location detail in its account transparency section. It shows…

X (formerly known as Twitter) has added a new location detail in its account transparency section. It shows where an account is based and which app store region it is linked to.

Some users call this a privacy risk and a problem for whistleblowers, but the idea itself is not new. Instagram has shown similar account details for years. Facebook also gives page location details in its transparency tab, but not for personal accounts.

****How to Hide Your Location on X****

You cannot fully hide your location on X. A VPN may help, but X works with third‑party services that tell the platform if an account is using a VPN. What you can do is change the display from your exact country to a wider region.

For example:

Account based in: United Kingdom → Account based in Europe

Connected via United Kingdom App Store → Connected via Europe App Store

To change this, go to your account, then Settings and Privacy, then Privacy and Safety, then Your X activity, then About your account. In that section, you can switch between showing your country or your region or your continent. Choose the option that fits your preference.

This location feature helps tackle abuse by adding transparency to where accounts operate from. Since its rollout, some high-visibility accounts have deactivated themselves after their true location was revealed. These included accounts pretending to be based in the US or Europe while pushing racist or exploitative content, later found to be operating from countries like Nigeria and India.

Other accounts involved in spreading false information were linked to Pakistan and Eastern European countries. Nevertheless, by showing location data, X is making it harder for coordinated networks to mislead users about their origin or intent.

How To Hide Your Country Location on X (Twitter) by Switching to Region

The Shai Hulud worm's "Second Coming" has compromised over 26,000 public repositories. We detail the attacker's mistake, the target packages, and mandatory security tips.

The Shai Hulud npm worm has re-emerged, launching an aggressive new attack on the software development world. This worm, which Hackread.com first reported in September 2025, returned this Monday, November 24, 2025, striking with dramatically increased intensity. This timing is notable as it occurs just before npm’s December 9 deadline to revoke old classic access tokens.

In September, the Shai Hulud attack compromised about 180 software libraries (repositories). However, security researcher Charlie Eriksen from Aikido Security detected the new wave early this morning (5:10 AM CET), seeing infected code projects skyrocket to over 19,000 in just a few hours. This represents a hundred-fold increase over the previous campaign.

****Compromised Tools and Faster Attacks****

The attack began with packages like go-template and 36 packages from AsyncAPI, quickly followed by those from PostHog and Postman. Among the first wave of over 60 compromised packages were the main tools for services like Zapier and the ENS platform. Specific affected items include packages such as @zapier/zapier-sdk, zapier-platform-core, @ensdomains/ensjs, ethereum-ens, and typeorm-orbit.

This new version of Shai Hulud is faster and more dangerous because the attackers learned from their previous attempt. They have streamlined their process for sending stolen data, “ditched the webhook bottleneck and now dump credentials straight to public GitHub repos,” explains Eriksen in the blog post shared with Hackread.com.

The malware’s primary goal is to steal credentials (sensitive access codes) from developers’ computers. According to Aikido’s investigation, these include critical access keys for major cloud services like Amazon Web Services (AWS), API keys, and tokens for platforms like GitHub and npm.

****Victims Become Threats****

The malware automatically scans both the local computer and connected cloud accounts and uses the TruffleHog tool to “ransack developer machines” for every secret it can find. The infection turns victims into immediate threats, as any stolen npm or GitHub keys are instantly used to compromise more packages. This means each victim becomes “an attack vector in real-time,” making it the quickest reaction ever recorded in the software supply chain.

Despite the scale, the attack’s overall impact was limited: the attackers made mistakes, as the core malicious file bun\_environment.js sometimes failed to bundle. The damage is still vast, however. In total, 425 packages were detected with signs of the new worm.

Over 19,000 public code repositories now contain stolen credentials, identified by the title “Sha1-Hulud: The Second Coming” in the description, and a total of over 26,300 repositories have been exposed. These affected packages have a combined total of 132 million monthly downloads (check the full list here).

Screenshots show 26.3k repositories exposed and the compromised GitHub repositories (Credit: Aikido Security)

****Immediate Actions for Developers****

The latest threat follows closely after researchers took down a fake version of the Prettier code formatter extension on the VSCode Marketplace, which had delivered Anivia Stealer in another developer-targeted attack.

This shows how developers are always the prime target of cyber criminals. To tackle the Shai Hulud threat, they must immediately uninstall compromised packages, rotate all credentials (GitHub, npm, cloud, and CI/CD secrets), audit dependencies, check GitHub for strange repos with the “Sha1-Hulud: The Second Coming” description, disable npm postinstall scripts in CI, and enforce MFA on all accounts.

Shai Hulud npm Worm Impacts 26,000+ Repos in Supply Chain Attack

Tel Aviv, Israel, 24th November 2025, CyberNewsWire

**Tel Aviv, Israel, November 24th, 2025, CyberNewsWire**

**Blast is introducing a new operating model for cloud security with a first-of-its-kind Preemptive Cloud Defense Platform, replacing reactive response with continuous prevention.**

Blast Security, a cybersecurity startup founded by industry veterans from Solebit (acquired by Mimecast) and elite IDF units, today announced its launch from stealth and a $10 million seed round co-led by 10D and MizMaa Ventures. Blast is redefining how organizations eliminate cloud risks using preventive guardrails to ensure environments remain secure by design. The company is already working with numerous global enterprises to secure their production environments, preventing cloud risk by over 90% and significantly shrinking the blast radius.

Enterprises operating at multi-cloud scale face relentless change and compounding complexity accelerated by the growth of AI. Blast’s Preemptive Cloud Defense Platform marks an inflection point for organizations shifting from reactive alert-chasing to proactive, continuously enforced prevention. It turns native cloud control into a preventive defense fabric, where every change is modelled, tested, and enforced safely. This approach ensures prevention never breaks production or slows innovation.

> “Cloud adoption and AI have multiplied complexity and risk faster than teams can keep up. The market is full of tools for detection and remediation, but the only reliable way to mitigate risk is to prevent it in the first place – and that’s what Blast is built to do,” said Boris Vaynberg, co-founder and CEO of Blast Security. “When Henry Ford introduced his automobile, many believed horses were good enough. It’s hard to see how a new approach can redefine the standard – until it becomes the standard. Our mission is to make prevention the new standard in cloud security and lead the market shift.”

The lightbulb moment for Blast’s founding team – Boris Vaynberg, Ido Bukra, and Roi Panai – came when they were called to reserve duty to lead a national-level cloud security project. During this critical time, the team realized that security must match the cloud’s speed, scale, and complexity with prevention measures-built in. Blast’s founding team brings over a decade of collaborative experience – their first company, Solebit, was acquired by Mimecast in their largest acquisition. Blast’s engineers are cloud security veterans committed to developing game-changing, practical solutions that prevent risks before they arise and keep cloud environments inherently secure.

> “At Via, we see the shift from alert-chasing to prevention as a strategic program to strengthen our overall defense. Blast enables us to enforce preventive guardrails at scale – making our cloud environments more resilient with the same resources, less manual effort, and the trust to ensure zero disruption to the business,” said Oren Hogery, CISO, Via.

> “Blast’s founding team has a remarkable history of solving complex security challenges,” said Itay Rand, General Partner at 10D Capital. “Their preemptive approach to cloud security meets a growing critical need in the market, enabling organizations to prevent threats rather than merely reacting to them. We’re thrilled to back Blast as they set a new standard for truly proactive cloud defense.”

To learn more about Blast’s Preemptive Cloud Defense Platform and its capabilities, users can visit blast.security. 

**About Blast Security**

Blast Security marks the end of reactive cloud security, replacing after-the-fact response with continuous prevention. Instead of reacting to threats and chasing alerts, Blast creates a living, preemptive defense fabric that continuously evolves with the enterprise cloud environment – eliminating alert fatigue, reducing operational friction, and shrinking the blast radius. The Blast founding team has worked together for more than a decade and has a proven track record of building scalable prevention products, including at Solebit (acquired by Mimecast). Headquartered in Tel Aviv, Blast is backed by leading investors and trusted by global organizations.

Users can visit **blast.security** to learn more.

**Contact**

**VP Markerting**  
**Dayana Nevo**  
**Blast Security**  
**\[email protected\]**

Elite Cyber Veterans Launch Blast Security with $10M to Turn Cloud Detection into Prevention

Cybersecurity firm Checkmarx Zero, in collaboration with Microsoft, removed a malicious 'prettier-vscode-plus' extension from the VSCode Marketplace. The fake coding tool was a Brandjacking attempt designed to deploy Anivia Stealer malware and steal Windows user credentials and data.

A swift response from security researchers recently stopped a harmful software attack targeting the popular Visual Studio Code (VSCode) Marketplace. A malicious extension, designed to look like Prettier – Code formatter, a legitimate and well-known coding tool, was quickly found and removed, stopping a potentially widespread security incident before it could cause damage.

****Quick Action Prevents Major Threat****

The security firm Checkmarx Zero identified the fake extension, named prettier-vscode-plus, which was posted under the publisher account publishingsofficial. This is an example of a Brandjacking attack, which occurs when a malicious party tries to use the good name of a trusted brand to trick people into downloading a dangerous alternative.

In this specific case, the extension exploited the famous Prettier brand name and was released on November 21, 2025, at 11:34:12 UTC. However, after collaborating with Microsoft and the VSCode Marketplace security group, the fake tool was taken down.

“We identified and reported this extension quickly, and it was removed within 4 hours after its publication,” a report shared with Hackread.com later stated. Because of this fast action, only a very small number of users were affected; the team found 6 downloads and 3 installs before the removal.

****A Hidden Danger****

Checkmarx Zero’s investigation revealed a multi-step attack designed to hide its true purpose. Instead of being a harmless coding tool, the extension was built to secretly load and run a variant of the Anivia Stealer, a malware designed to steal sensitive information from Windows computers, including passwords, private data, and even WhatsApp chats.

According to ThreatMon, an end-to-end intelligence platform, Anivia is being sold as Malware-as-a-Service for €120 per month or €680 for lifetime access. Researchers believe Anivia Stealer is likely a rebranded version of the earlier stealer known as ZeroTrace.

On the other hand, Checkmarx’s researchers noted that this attack was particularly clever. To prevent detection by common security software, it avoided writing the main malicious program directly onto the computer’s disk, instead running it from the machine’s memory. That’s a highly evasive technique.

Moreover, researchers also found that the malicious code was programmed to detect if it was running inside a security test environment (a sandbox) by checking for things like a very small amount of memory or a low CPU count, helping it hide its true purpose.

As we know it, extensions that attack tools used by developers are becoming a common way for cybercriminals to get access to company secrets and source code by stealing credentials. Checkmarx concludes that while this particular threat was stopped in its tracks, developers need to be careful when downloading tools, especially if they are from outside the official marketplace.

Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer

Certo Software found RadzaRat, an Android RAT disguised as a file manager that has a 0/66 detection rate on VirusTotal. It keylogs passwords and steals files.

Cybersecurity experts at Certo Software have discovered a new Android spyware called RadzaRat. This malware is a Remote Access Trojan (RAT) that gives criminals full remote control over a device, and alarmingly, it is currently completely undetectable to all major anti-virus programs. This important finding was shared with Hackread.com, highlighting a serious new risk for users.

****The File Manager Disguise****

According to Certo Software’s blog post, RadzaRat is hidden within an application that appears to be a normal file manager, a tool used to handle photos and documents. Once installed, it grants criminals extensive access, allowing them to browse and download files with advertised support for transfers up to 10 gigabytes, and even track everything you type, a feature known as keylogging.

Keylogging, as we know it, can steal sensitive details like passwords and credit card numbers. This capability is clearly demonstrated in the image shared by Certo Software researchers, which shows the malware operating and logging keystrokes via Telegram.

RadzaRat catching keystrokes.

****Zero-Detection and Low Cost****

A key concern is its distribution; the malware’s installation file was openly available online, which means anyone could download and use it. Furthermore, a test against 66 security vendors on VirusTotal showed a shocking 0/66 detection rate, proving it bypasses all current protection. This window of invisibility is a huge advantage for criminals.

VirusTotal scan showing zero detections (Image credit: Certo Software)

Co-founder of Certo Software, Simon Lewis, highlighted RadzaRat’s severity, stating: “What makes RadzaRat particularly dangerous is the combination of complete security vendor evasion and its public availability.”

“The APK installer file is openly accessible, meaning anyone can download and deploy their own version. We’re essentially watching a malware threat being distributed through the same platforms used for legitimate software development,” Lewis added.

****RadzaRat Spyware for Sale****

The malware is actively sold on underground forums by a developer named ‘Heron44’ and requires minimal resources to run, relying only on free services like a Render.com server and a Telegram bot.

This zero-cost setup means anyone with minimal skill can deploy it. The program, first made public on November 8, 2025, also uses aggressive methods to stop Android from closing it and ensures it restarts automatically every time the device reboots.

Forum Advertisement for RadzaRat (Image credit: Certo Software)

The emergence of RadzaRat goes on to show why users, especially those on Android devices, must be extra careful about what apps they download, as it can be a gateway for hackers to steal private and financial information.

New RadzaRat Spyware Poses as File Manager to Hijack Android Devices

A critical security flaw (CVE-2025-11001) in 7-Zip has a public exploit. Learn why this high-risk vulnerability is dangerous and how to manually update to version 25.01 now.

A vulnerability has been found in the very popular, free file-compressing tool 7-Zip. The flaw, tracked as CVE-2025-11001, has a public exploit, leading to a high-risk warning from the UK’s NHS England Digital.

While the NHS confirmed active exploitation has not been observed in the wild, the public PoC means the risk of future attacks is extremely high. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., with help from their AI tool AppSec Auditor Takumi.

****What’s the Problem?****

The issue is related to how older 7-Zip versions handle symbolic links inside ZIP files (a symbolic link is a shortcut to another file or folder). As explained by Trend Micro’s Zero Day Initiative (ZDI), which first revealed the vulnerability last month, it is a Directory Traversal RCE flaw.

This means, a specially made ZIP file can trick the program into traversing (moving) to unauthorised system directories during extraction, allowing an attacker to run unwanted programs or “execute arbitrary code.” The issue has a CVSS risk score of 7.0 (High), and exploiting it requires user interaction (the target must open the malicious ZIP file).

According to a blog post from vulnerability detection platform Mondoo, this flaw is particularly dangerous for three reasons. First, the extraction of a malicious ZIP can allow an attacker to run code using a high-level account, such as a service account or privileged user, possibly leading to a full system takeover. Second, it is relatively easy to exploit (only requiring a user to open the archive), and third, 7-Zip’s widespread use provides a vast attack surface of unpatched systems.

Mondoo shows CVE 2025 11001 flagged on a Windows system running 7 Zip

****Microsoft Flags Activity Linked to CVE 2025 11001****

The danger level increased dramatically when security researcher Dominik (known online as pacbypass) publicly shared a working proof-of-concept (PoC) exploit. This ready-to-use code provides cybercriminals with an easy blueprint for attacks, likely speeding up the spread of attacks. This flaw affects only Windows systems and is most critical when files are extracted under highly privileged accounts, which can lead to a full system takeover.

Microsoft has tracked malicious activity linked to this vulnerability under the label Exploit:Python/CVE 2025 11001.SA!MTB, a detection name rather than a family title, yet it still shows active use of the public code in malware campaigns.

****How to Stay Safe****

The issue was fixed with version 25.00 in July 2025. However, as Dominik Richter, CPO and Co-founder of Mondoo, told Hackread.com, the software lacks an internal update mechanism; therefore, updates must be performed manually by the user or managed through enterprise tools, scripts, or deployment systems like Microsoft Intune.

This lack of automated patching “means that it’s highly likely that many systems are still running the older version that is vulnerable to this CVE,” Richter noted.

To update manually, users must find all 7-Zip installations older than version 25.00 on Windows machines and promptly install the current version, 25.01. Or, download the latest version from 7-Zip’s official download page.

Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update

CrowdStrike fired an insider for selling internal screenshots to Scattered Lapsus$ Hunters for $25,000. Read how the security team detected the activity and protected customers.

Leading cybersecurity firm CrowdStrike recently confirmed it fired an employee for sharing confidential internal details with a major hacking group. This incident, which became public on Friday, shows that internal human risk can be just as dangerous as technical flaws.

****Leaked Data Lands on Hacker Channel****

The terminated employee, who CrowdStrike described as a ‘suspicious insider,’ was caught giving information about the firm’s private systems to a notorious collective called Scattered Lapsus$ Hunters.

For your information, this group is widely known as a supergroup, comprising members from other prominent hacking entities like Scattered Spider, LAPSUS$, and ShinyHunters.

The stolen information, which was later posted as screenshots on the collective’s public Telegram channel, included images of internal dashboards. These visuals contained links to company resources, most notably an Okta Single Sign-On (SSO) panel. Simply put, the SSO is the main login page employees use to access their work applications.

****Hacker Claims Versus CrowdStrike’s Swift Defence****

The hackers initially claimed that they gained access to CrowdStrike’s network by exploiting a third-party vendor named Gainsight, a platform often used by Salesforce clients for customer management. They also claimed to have received authentication cookies, which are small pieces of data that let you stay logged into a website.

However, CrowdStrike representatives strongly denied any successful technical intrusion. They clarified that the screenshots were just the result of the insider taking pictures of their computer screen and sharing them externally, not a systemic network compromise. Further probing revealed that the group ShinyHunters had allegedly offered the employee $25,000 for network access.

One of the screenshots shared by the Scattered Lapsus Hunters hackers on Telegram

It is worth noting that while the hackers may have obtained some login information, CrowdStrike maintains that its security operations centre spotted the unusual activity quickly, before any harmful access could be established. This led to the insider’s termination last month.

A company spokesperson emphasised the firm’s successful defence, stating, “Our systems were never compromised and customers remained protected throughout.”

This entire episode is linked to a wider, aggressive effort by the Scattered Lapsus$ Hunters group, who have recently been attacking big companies by taking advantage of their contracts with outside vendors like Salesloft and Gainsight. CrowdStrike has since handed over the case to the relevant law enforcement agencies.

CrowdStrike Fires Worker Over Insider Leak to Scattered Lapsus Hunters

Sturnus, an advanced Android banking trojan, has been discovered by ThreatFabric. Learn how this malware bypasses end-to-end encryption on Signal and WhatsApp, steals bank credentials using fake screens, and executes fraudulent transactions.

Cybersecurity researchers have discovered a new, highly dangerous Android banking malware called Sturnus, named after the common starling or ‘songbird’ because of its complex and ‘chaotic’ communication style.

The Dutch cybersecurity firm ThreatFabric identified this privately-operated threat, which has features that are simply far more advanced and dangerous than what we’ve seen before.

According to ThreatFabric’s blog post, published on November 20, 2025, Sturnus is far more advanced than previous malware, capable of stealing your bank details, able to view chat content on apps like WhatsApp, Telegram, and Signal by abusing Android’s Accessibility Service

****How it Decodes Your ‘Encrypted’ Chats****

Even though these apps use end-to-end encryption, which means only you and the person you’re chatting with can read the messages, Sturnus completely gets around this protection. It works by relying on the Android Accessibility Service to read the message content directly from the screen after the legitimate app has decrypted it. This means the attackers can see full conversations, contacts, and all incoming and outgoing messages in real time.

(Image credit: ThreatFabric)

****A Fully Featured Threat****

The malware is distributed through social engineering campaigns, including Phishing (email), Smishing (SMS text messages), or via a malicious Dropper application, which tricks users into installing the final malware as an unofficial APK file

Once Sturnus infects a phone, it uses two integrated methods to steal sensitive data: deploying fake login screens, known as HTML overlays, that perfectly mimic banking apps; and simultaneously employing a comprehensive keylogging pipeline via the Accessibility Service to record every keystroke and screen tap.

Further probing revealed that the malware gives the attackers extensive remote control. They can type, monitor all activity, and, most disturbingly, display a black screen overlay to hide their actions while it silently executes fraudulent transactions in the background. The malware even uses its keylogging ability to steal PINs and Passwords, making it easy to unlock the device itself.

(Image credit: ThreatFabric)

****The Attack Status and Targets****

It is worth noting that Sturnus is highly persistent. It gains special privileges on the phone, called Device Administrator rights, and actively protects them. If a user tries to disable these rights or uninstall the malware in settings, Sturnus detects the attempt and automatically stops the action. This defence makes it very difficult to get rid of it once installed.

Researchers assess that although this malware is not yet widespread and is currently in an early testing phase, it is already fully functional. Its configurations show an immediate focus on targeting financial institutions across Southern and Central Europe. This concentration on high-value apps and specific regions suggests the criminals are simply getting ready for a much larger, more coordinated global attack.

In commentary shared exclusively with Hackread.com, Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, provided insight into the malware’s technical edge and broader risks.

“Sturnus poses a different kind of threat compared to other Android malware due to its ability to use a mix of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to,” Sood said.

“The combination of these three allows Sturnus to blend more easily into normal network patterns, while also hiding commands and stolen data from defence systems. This advanced level of evasion and resilience from the malware disrupts signature-based detection and can impede reverse-engineering efforts, making it harder to inspect Sturnus’ network traffic or recover the contents that it steals.”

Sood also highlighted the risk to organisations: “As a banking trojan, Sturnus is primarily targeting financial organisations. However, the ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organisations, as those applications are used across several industries to secure sensitive or confidential information.”

He advises, “Individuals who are at-risk, or who are in control of sensitive information, must avoid downloading APK files from outside Google Play, and should continuously monitor for malicious activity if infection is suspected.”

Source

HackRead