Tel Aviv, Israel, 24th November 2025, CyberNewsWire

**Tel Aviv, Israel, November 24th, 2025, CyberNewsWire**

**Blast is introducing a new operating model for cloud security with a first-of-its-kind Preemptive Cloud Defense Platform, replacing reactive response with continuous prevention.**

Blast Security, a cybersecurity startup founded by industry veterans from Solebit (acquired by Mimecast) and elite IDF units, today announced its launch from stealth and a $10 million seed round co-led by 10D and MizMaa Ventures. Blast is redefining how organizations eliminate cloud risks using preventive guardrails to ensure environments remain secure by design. The company is already working with numerous global enterprises to secure their production environments, preventing cloud risk by over 90% and significantly shrinking the blast radius.

Enterprises operating at multi-cloud scale face relentless change and compounding complexity accelerated by the growth of AI. Blast’s Preemptive Cloud Defense Platform marks an inflection point for organizations shifting from reactive alert-chasing to proactive, continuously enforced prevention. It turns native cloud control into a preventive defense fabric, where every change is modelled, tested, and enforced safely. This approach ensures prevention never breaks production or slows innovation.

> “Cloud adoption and AI have multiplied complexity and risk faster than teams can keep up. The market is full of tools for detection and remediation, but the only reliable way to mitigate risk is to prevent it in the first place – and that’s what Blast is built to do,” said Boris Vaynberg, co-founder and CEO of Blast Security. “When Henry Ford introduced his automobile, many believed horses were good enough. It’s hard to see how a new approach can redefine the standard – until it becomes the standard. Our mission is to make prevention the new standard in cloud security and lead the market shift.”

The lightbulb moment for Blast’s founding team – Boris Vaynberg, Ido Bukra, and Roi Panai – came when they were called to reserve duty to lead a national-level cloud security project. During this critical time, the team realized that security must match the cloud’s speed, scale, and complexity with prevention measures-built in. Blast’s founding team brings over a decade of collaborative experience – their first company, Solebit, was acquired by Mimecast in their largest acquisition. Blast’s engineers are cloud security veterans committed to developing game-changing, practical solutions that prevent risks before they arise and keep cloud environments inherently secure.

> “At Via, we see the shift from alert-chasing to prevention as a strategic program to strengthen our overall defense. Blast enables us to enforce preventive guardrails at scale – making our cloud environments more resilient with the same resources, less manual effort, and the trust to ensure zero disruption to the business,” said Oren Hogery, CISO, Via.

> “Blast’s founding team has a remarkable history of solving complex security challenges,” said Itay Rand, General Partner at 10D Capital. “Their preemptive approach to cloud security meets a growing critical need in the market, enabling organizations to prevent threats rather than merely reacting to them. We’re thrilled to back Blast as they set a new standard for truly proactive cloud defense.”

To learn more about Blast’s Preemptive Cloud Defense Platform and its capabilities, users can visit blast.security. 

**About Blast Security**

Blast Security marks the end of reactive cloud security, replacing after-the-fact response with continuous prevention. Instead of reacting to threats and chasing alerts, Blast creates a living, preemptive defense fabric that continuously evolves with the enterprise cloud environment – eliminating alert fatigue, reducing operational friction, and shrinking the blast radius. The Blast founding team has worked together for more than a decade and has a proven track record of building scalable prevention products, including at Solebit (acquired by Mimecast). Headquartered in Tel Aviv, Blast is backed by leading investors and trusted by global organizations.

Users can visit **blast.security** to learn more.

**Contact**

**VP Markerting**  
**Dayana Nevo**  
**Blast Security**  
**\[email protected\]**

Elite Cyber Veterans Launch Blast Security with $10M to Turn Cloud Detection into Prevention

Cybersecurity firm Checkmarx Zero, in collaboration with Microsoft, removed a malicious 'prettier-vscode-plus' extension from the VSCode Marketplace. The fake coding tool was a Brandjacking attempt designed to deploy Anivia Stealer malware and steal Windows user credentials and data.

A swift response from security researchers recently stopped a harmful software attack targeting the popular Visual Studio Code (VSCode) Marketplace. A malicious extension, designed to look like Prettier – Code formatter, a legitimate and well-known coding tool, was quickly found and removed, stopping a potentially widespread security incident before it could cause damage.

****Quick Action Prevents Major Threat****

The security firm Checkmarx Zero identified the fake extension, named prettier-vscode-plus, which was posted under the publisher account publishingsofficial. This is an example of a Brandjacking attack, which occurs when a malicious party tries to use the good name of a trusted brand to trick people into downloading a dangerous alternative.

In this specific case, the extension exploited the famous Prettier brand name and was released on November 21, 2025, at 11:34:12 UTC. However, after collaborating with Microsoft and the VSCode Marketplace security group, the fake tool was taken down.

“We identified and reported this extension quickly, and it was removed within 4 hours after its publication,” a report shared with Hackread.com later stated. Because of this fast action, only a very small number of users were affected; the team found 6 downloads and 3 installs before the removal.

****A Hidden Danger****

Checkmarx Zero’s investigation revealed a multi-step attack designed to hide its true purpose. Instead of being a harmless coding tool, the extension was built to secretly load and run a variant of the Anivia Stealer, a malware designed to steal sensitive information from Windows computers, including passwords, private data, and even WhatsApp chats.

According to ThreatMon, an end-to-end intelligence platform, Anivia is being sold as Malware-as-a-Service for €120 per month or €680 for lifetime access. Researchers believe Anivia Stealer is likely a rebranded version of the earlier stealer known as ZeroTrace.

On the other hand, Checkmarx’s researchers noted that this attack was particularly clever. To prevent detection by common security software, it avoided writing the main malicious program directly onto the computer’s disk, instead running it from the machine’s memory. That’s a highly evasive technique.

Moreover, researchers also found that the malicious code was programmed to detect if it was running inside a security test environment (a sandbox) by checking for things like a very small amount of memory or a low CPU count, helping it hide its true purpose.

As we know it, extensions that attack tools used by developers are becoming a common way for cybercriminals to get access to company secrets and source code by stealing credentials. Checkmarx concludes that while this particular threat was stopped in its tracks, developers need to be careful when downloading tools, especially if they are from outside the official marketplace.

Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer

Certo Software found RadzaRat, an Android RAT disguised as a file manager that has a 0/66 detection rate on VirusTotal. It keylogs passwords and steals files.

Cybersecurity experts at Certo Software have discovered a new Android spyware called RadzaRat. This malware is a Remote Access Trojan (RAT) that gives criminals full remote control over a device, and alarmingly, it is currently completely undetectable to all major anti-virus programs. This important finding was shared with Hackread.com, highlighting a serious new risk for users.

****The File Manager Disguise****

According to Certo Software’s blog post, RadzaRat is hidden within an application that appears to be a normal file manager, a tool used to handle photos and documents. Once installed, it grants criminals extensive access, allowing them to browse and download files with advertised support for transfers up to 10 gigabytes, and even track everything you type, a feature known as keylogging.

Keylogging, as we know it, can steal sensitive details like passwords and credit card numbers. This capability is clearly demonstrated in the image shared by Certo Software researchers, which shows the malware operating and logging keystrokes via Telegram.

RadzaRat catching keystrokes.

****Zero-Detection and Low Cost****

A key concern is its distribution; the malware’s installation file was openly available online, which means anyone could download and use it. Furthermore, a test against 66 security vendors on VirusTotal showed a shocking 0/66 detection rate, proving it bypasses all current protection. This window of invisibility is a huge advantage for criminals.

VirusTotal scan showing zero detections (Image credit: Certo Software)

Co-founder of Certo Software, Simon Lewis, highlighted RadzaRat’s severity, stating: “What makes RadzaRat particularly dangerous is the combination of complete security vendor evasion and its public availability.”

“The APK installer file is openly accessible, meaning anyone can download and deploy their own version. We’re essentially watching a malware threat being distributed through the same platforms used for legitimate software development,” Lewis added.

****RadzaRat Spyware for Sale****

The malware is actively sold on underground forums by a developer named ‘Heron44’ and requires minimal resources to run, relying only on free services like a Render.com server and a Telegram bot.

This zero-cost setup means anyone with minimal skill can deploy it. The program, first made public on November 8, 2025, also uses aggressive methods to stop Android from closing it and ensures it restarts automatically every time the device reboots.

Forum Advertisement for RadzaRat (Image credit: Certo Software)

The emergence of RadzaRat goes on to show why users, especially those on Android devices, must be extra careful about what apps they download, as it can be a gateway for hackers to steal private and financial information.

New RadzaRat Spyware Poses as File Manager to Hijack Android Devices

A critical security flaw (CVE-2025-11001) in 7-Zip has a public exploit. Learn why this high-risk vulnerability is dangerous and how to manually update to version 25.01 now.

A vulnerability has been found in the very popular, free file-compressing tool 7-Zip. The flaw, tracked as CVE-2025-11001, has a public exploit, leading to a high-risk warning from the UK’s NHS England Digital.

While the NHS confirmed active exploitation has not been observed in the wild, the public PoC means the risk of future attacks is extremely high. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., with help from their AI tool AppSec Auditor Takumi.

****What’s the Problem?****

The issue is related to how older 7-Zip versions handle symbolic links inside ZIP files (a symbolic link is a shortcut to another file or folder). As explained by Trend Micro’s Zero Day Initiative (ZDI), which first revealed the vulnerability last month, it is a Directory Traversal RCE flaw.

This means, a specially made ZIP file can trick the program into traversing (moving) to unauthorised system directories during extraction, allowing an attacker to run unwanted programs or “execute arbitrary code.” The issue has a CVSS risk score of 7.0 (High), and exploiting it requires user interaction (the target must open the malicious ZIP file).

According to a blog post from vulnerability detection platform Mondoo, this flaw is particularly dangerous for three reasons. First, the extraction of a malicious ZIP can allow an attacker to run code using a high-level account, such as a service account or privileged user, possibly leading to a full system takeover. Second, it is relatively easy to exploit (only requiring a user to open the archive), and third, 7-Zip’s widespread use provides a vast attack surface of unpatched systems.

Mondoo shows CVE 2025 11001 flagged on a Windows system running 7 Zip

****Microsoft Flags Activity Linked to CVE 2025 11001****

The danger level increased dramatically when security researcher Dominik (known online as pacbypass) publicly shared a working proof-of-concept (PoC) exploit. This ready-to-use code provides cybercriminals with an easy blueprint for attacks, likely speeding up the spread of attacks. This flaw affects only Windows systems and is most critical when files are extracted under highly privileged accounts, which can lead to a full system takeover.

Microsoft has tracked malicious activity linked to this vulnerability under the label Exploit:Python/CVE 2025 11001.SA!MTB, a detection name rather than a family title, yet it still shows active use of the public code in malware campaigns.

****How to Stay Safe****

The issue was fixed with version 25.00 in July 2025. However, as Dominik Richter, CPO and Co-founder of Mondoo, told Hackread.com, the software lacks an internal update mechanism; therefore, updates must be performed manually by the user or managed through enterprise tools, scripts, or deployment systems like Microsoft Intune.

This lack of automated patching “means that it’s highly likely that many systems are still running the older version that is vulnerable to this CVE,” Richter noted.

To update manually, users must find all 7-Zip installations older than version 25.00 on Windows machines and promptly install the current version, 25.01. Or, download the latest version from 7-Zip’s official download page.

Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update

CrowdStrike fired an insider for selling internal screenshots to Scattered Lapsus$ Hunters for $25,000. Read how the security team detected the activity and protected customers.

Leading cybersecurity firm CrowdStrike recently confirmed it fired an employee for sharing confidential internal details with a major hacking group. This incident, which became public on Friday, shows that internal human risk can be just as dangerous as technical flaws.

****Leaked Data Lands on Hacker Channel****

The terminated employee, who CrowdStrike described as a ‘suspicious insider,’ was caught giving information about the firm’s private systems to a notorious collective called Scattered Lapsus$ Hunters.

For your information, this group is widely known as a supergroup, comprising members from other prominent hacking entities like Scattered Spider, LAPSUS$, and ShinyHunters.

The stolen information, which was later posted as screenshots on the collective’s public Telegram channel, included images of internal dashboards. These visuals contained links to company resources, most notably an Okta Single Sign-On (SSO) panel. Simply put, the SSO is the main login page employees use to access their work applications.

****Hacker Claims Versus CrowdStrike’s Swift Defence****

The hackers initially claimed that they gained access to CrowdStrike’s network by exploiting a third-party vendor named Gainsight, a platform often used by Salesforce clients for customer management. They also claimed to have received authentication cookies, which are small pieces of data that let you stay logged into a website.

However, CrowdStrike representatives strongly denied any successful technical intrusion. They clarified that the screenshots were just the result of the insider taking pictures of their computer screen and sharing them externally, not a systemic network compromise. Further probing revealed that the group ShinyHunters had allegedly offered the employee $25,000 for network access.

One of the screenshots shared by the Scattered Lapsus Hunters hackers on Telegram

It is worth noting that while the hackers may have obtained some login information, CrowdStrike maintains that its security operations centre spotted the unusual activity quickly, before any harmful access could be established. This led to the insider’s termination last month.

A company spokesperson emphasised the firm’s successful defence, stating, “Our systems were never compromised and customers remained protected throughout.”

This entire episode is linked to a wider, aggressive effort by the Scattered Lapsus$ Hunters group, who have recently been attacking big companies by taking advantage of their contracts with outside vendors like Salesloft and Gainsight. CrowdStrike has since handed over the case to the relevant law enforcement agencies.

CrowdStrike Fires Worker Over Insider Leak to Scattered Lapsus Hunters

Sturnus, an advanced Android banking trojan, has been discovered by ThreatFabric. Learn how this malware bypasses end-to-end encryption on Signal and WhatsApp, steals bank credentials using fake screens, and executes fraudulent transactions.

Cybersecurity researchers have discovered a new, highly dangerous Android banking malware called Sturnus, named after the common starling or ‘songbird’ because of its complex and ‘chaotic’ communication style.

The Dutch cybersecurity firm ThreatFabric identified this privately-operated threat, which has features that are simply far more advanced and dangerous than what we’ve seen before.

According to ThreatFabric’s blog post, published on November 20, 2025, Sturnus is far more advanced than previous malware, capable of stealing your bank details, able to view chat content on apps like WhatsApp, Telegram, and Signal by abusing Android’s Accessibility Service

****How it Decodes Your ‘Encrypted’ Chats****

Even though these apps use end-to-end encryption, which means only you and the person you’re chatting with can read the messages, Sturnus completely gets around this protection. It works by relying on the Android Accessibility Service to read the message content directly from the screen after the legitimate app has decrypted it. This means the attackers can see full conversations, contacts, and all incoming and outgoing messages in real time.

(Image credit: ThreatFabric)

****A Fully Featured Threat****

The malware is distributed through social engineering campaigns, including Phishing (email), Smishing (SMS text messages), or via a malicious Dropper application, which tricks users into installing the final malware as an unofficial APK file

Once Sturnus infects a phone, it uses two integrated methods to steal sensitive data: deploying fake login screens, known as HTML overlays, that perfectly mimic banking apps; and simultaneously employing a comprehensive keylogging pipeline via the Accessibility Service to record every keystroke and screen tap.

Further probing revealed that the malware gives the attackers extensive remote control. They can type, monitor all activity, and, most disturbingly, display a black screen overlay to hide their actions while it silently executes fraudulent transactions in the background. The malware even uses its keylogging ability to steal PINs and Passwords, making it easy to unlock the device itself.

(Image credit: ThreatFabric)

****The Attack Status and Targets****

It is worth noting that Sturnus is highly persistent. It gains special privileges on the phone, called Device Administrator rights, and actively protects them. If a user tries to disable these rights or uninstall the malware in settings, Sturnus detects the attempt and automatically stops the action. This defence makes it very difficult to get rid of it once installed.

Researchers assess that although this malware is not yet widespread and is currently in an early testing phase, it is already fully functional. Its configurations show an immediate focus on targeting financial institutions across Southern and Central Europe. This concentration on high-value apps and specific regions suggests the criminals are simply getting ready for a much larger, more coordinated global attack.

In commentary shared exclusively with Hackread.com, Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, provided insight into the malware’s technical edge and broader risks.

“Sturnus poses a different kind of threat compared to other Android malware due to its ability to use a mix of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to,” Sood said.

“The combination of these three allows Sturnus to blend more easily into normal network patterns, while also hiding commands and stolen data from defence systems. This advanced level of evasion and resilience from the malware disrupts signature-based detection and can impede reverse-engineering efforts, making it harder to inspect Sturnus’ network traffic or recover the contents that it steals.”

Sood also highlighted the risk to organisations: “As a banking trojan, Sturnus is primarily targeting financial organisations. However, the ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organisations, as those applications are used across several industries to secure sensitive or confidential information.”

He advises, “Individuals who are at-risk, or who are in control of sensitive information, must avoid downloading APK files from outside Google Play, and should continuously monitor for malicious activity if infection is suspected.”

New Sturnus Android Malware Reads WhatsApp, Telegram, Signal Chats via Accessibility Abuse

ShinyHunters breached Gainsight apps integrated with Salesforce, claiming access to data from 1000 firms using stolen credentials and compromised tokens.

Salesforce, a renowned customer relationship management (CRM) platform, has confirmed it is dealing with a significant security incident. The company announced late Wednesday that some of its customers’ data was likely accessed by an outside party through an issue involving apps published by Gainsight, a company that provides customer success software.

“Our investigation indicates this activity may have enabled unauthorised access to certain customers’ Salesforce data through the app’s connection,” Salesforce’s official update stated.

The problem lies with the access tokens used by Gainsight’s connected applications, which are basically special digital keys allowing the apps to link to Salesforce systems. Attackers managed to steal and use these keys to bypass normal security.

Salesforce responded fast, immediately revoking all active tokens for the affected Gainsight apps and removing them from the AppExchange. Access to the Gainsight platform via Salesforce remains unavailable as of this morning. Both companies stressed the issue did not come from a flaw within the core Salesforce platform, but rather through the Gainsight app’s external connection.

****The Attack and the Threat****

Gainsight’s statement confirms the breach was detected when API calls came from unauthorised (non-whitelisted) IP addresses. As per the company’s update, only three organisations are currently known to be impacted, and Salesforce has proactively reached out to them. The investigation is still ongoing.

The notorious hacking group ShinyHunters claimed responsibility for the breach, telling DataBreaches.net they used credentials stolen from an earlier attack on Salesloft, where Gainsight was also a victim, to compromise Gainsight.

ShinyHunters on Telegram showing records allegedly stolen in the Gainsight data breach (Image credit: Hackread.com)

ShinyHunters claims this combined data theft affects “almost 1000 organisations,” including large companies like the following:

1.  F5
2.  Gitlab
3.  Verizon
4.  LinkedIn
5.  DocuSign
6.  Atlassian
7.  SonicWall
8.  MalwareBytes
9.  Thomson Reuters

_and others from the GainSight campaign._

ShinyHunters claims they used these stolen secrets to gain access to roughly 285 additional Salesforce customer systems. The exposed data potentially includes business contact and licensing details.

Furthermore, the hackers are trying to extort victims, directly threatening Salesforce to create a new data leak site containing data from both the Gainsight and Salesloft campaigns if the platform does not negotiate.

ShinyHunters on Telegram claiming the Gainsight data breach (Image credit: Hackread.com)

****Company Response and Customer Action****

Gainsight is working closely with Salesforce and has brought in the top cybersecurity firm, Mandiant, for an independent investigation. Gainsight’s official statement says they will not restore API access until all security layers have been fully reviewed.

Gainsight clarified that any function depending on reading from or writing to Salesforce is affected, including Connector data sync, Rules, Data Designer, Reports, Cockpit, Timeline, and Renewal Center.

However, most in-app workflows using Gainsight-native data are unaffected and run normally. As a precaution, Gainsight also revoked access for its Zendesk connector and temporarily delisted its app from the HubSpot Marketplace.

Customers can request the precise IP ranges for legitimate connections via a support ticket. Gainsight recommends using the direct NXT login method to bypass the Salesforce login block.

****Expert Analysis:****

In an analysis shared exclusively with Hackread.com, Brian Soby, CTO and co-founder at AppOmni, provided critical insight into the breach and its wider context:

“The Gainsight breach closely resembles other SaaS supply-chain compromises we’ve seen in recent years. Given how successful those earlier attacks were, it isn’t surprising that attackers reused similar techniques,” Soby said.

“What stands out most in this case is the sheer prevalence of Gainsight integrations. Gainsight is widely deployed and tightly connected to Salesforce, Slack, Google, Microsoft, and numerous other SaaS environments. Because of that footprint, customers now have to quickly identify every location where Gainsight was integrated, revoke those OAuth tokens, and investigate whether any of those connections were abused.”

Soby highlighted a specific difficulty in the investigation: “Salesforce has stated that it deleted tokens issued to Gainsight. While well-intentioned, that action also removed the records customers rely on to determine which of their users had granted OAuth access to Gainsight, which is the first step in conducting a proper investigation.”

Soby concluded by stressing that the industry has failed to learn from past incidents: “More broadly, this incident highlights persistent weaknesses in SaaS supply-chain security. The attack closely mirrors the earlier Drift breach, which also targeted Salesforce, Google Workspace, and other widely used SaaS platforms. The scale of the Gainsight compromise underscores that many organisations did not apply the lessons they should have learned from Drift, leaving large portions of their SaaS supply chain exposed.”

ShinyHunters Breach Gainsight Apps on Salesforce, Claim Data from 1000 Firms

Everest ransomware claims to have stolen over 180GB of seismic survey data from Petrobras, demanding contact through qTox with a countdown in place.

Everest ransomware group has listed two separate entries on its dark web leak site, both targeting Petrobras, a Brazilian majority state-owned multinational corporation giant in the petroleum industry headquartered in **Rio de Janeiro**.

****Petrobras and SAExploration Data****

Both listings were published on November 14, 2025. The first listing points to an alleged data breach involving both **Petrobras** and a partner firm, SAExploration. According to the group, it managed to steal a database that contains over 176 gigabytes of seismic navigation data. More than half of that, over 90 gigabytes, is said to belong directly to Petrobras.

The files, as per the group, contain highly detailed technical information, including ship positioning, equipment configurations, hydrophone readings, and depth measurements. There are also quality control documents, metadata, and processed reports that outline survey progress and initial conclusions from field operations.

It is worth noting that seismic surveys are critical in the oil and gas industry and require major investments to plan, capture, and process. If competitors gain access to this level of detail, including the accuracy of ship movement and node placement, they could use it to replicate Petrobras’ methods, lower their own costs, or gain leverage in contract negotiations.

Screenshort published by the Everest Ransomware group claiming Petrobras data breach (Image credit: Hackread.com)

****Petrobras’ Campos Basin Seismic Surveys****

The second listing from **Everest ransomware** focuses on Petrobras’ Campos Basin seismic surveys, which include both 3D and 4D data sets. This batch is again said to total more than 90 gigabytes and includes similar categories of sensitive information.

From ship coordinates and source depths to shot pressures and equipment alignment, the files suggest a full sweep of field survey documentation. Screenshots of some of the stolen data have also been shared by the group, which helps support the claim.

Screenshots published by the Everest Ransomware group (Image credit: Hackread.com)

The group has also issued a demand, stating that a representative from Petrobras must contact them through the encrypted messaging platform Tox within four days. They’ve provided a specific Tox ID and warned that if no communication is made before the deadline, further action may follow. A countdown timer was also posted alongside the message, making the deadline clear for the company to respond.

Screenshorts published by the Everest Ransomware group claiming Petrobras data breach (Image credit: Hackread.com)

****Right After The Alleged Under Armour Hack****

These breaches surfaced just as Everest also claimed responsibility for **hacking Under Armour**, saying it exfiltrated 343 gigabytes of data, including customer information, product records, and internal corporate files.

While Under Armour’s alleged breach targets a consumer-facing brand, the Petrobras incident could have deeper implications for industrial competitiveness and strategic operations within the energy sector.

Petrobras has not yet commented publicly on the claims; therefore, Hackread.com has reached out to the company. This article will be updated accordingly.

Everest Ransomware Says It Breached Brazilian Energy Giant Petrobras

Trustwave SpiderLabs warns of Eternidade Stealer, a new banking trojan spreading via personalised WhatsApp messages. Find out how this malicious software bypasses security checks and deploys fake login screens for major banks and wallets.

Cybersecurity researchers at Trustwave’s SpiderLabs have issued a warning about a new banking trojan targeting bank customers in Brazil. Dubbed Eternidade Stealer (Portuguese for Eternity), this malware uses the popular messaging app WhatsApp to trick people and steal their private financial information.

****The Attack Starts with a Simple Message****

The criminals employ social engineering, starting with a personalised WhatsApp message in Portuguese, featuring greetings that adjust to the time of day (like ‘good morning’). This tactic immediately makes the message seem legitimate. Once the victim clicks the attached malicious file, a complex attack chain begins.

The message researchers received via WhatsApp (Image credit: SpiderLabs)

The threat quickly takes over the user’s WhatsApp account. The program’s first action is to rapidly steal the victim’s entire contact list, which is immediately sent to the criminal’s control server. It then automatically sends itself to all the victim’s contacts using a spreading program written in Python script. This shift to Python is an important change from earlier attacks, which typically used different software.

Attack chain (Image credit: SpiderLabs)

****A Highly Targeted Operation****

According to Trustwave’s blog post, the Eternidade Stealer is built using Delphi, a programming language favoured by cybercriminals in Brazil for its efficiency and regional familiarity. The malware is highly localised; it only targets users with the Brazilian Portuguese operating system language.

Before launching its main attack, the stealer profiles the victim’s computer, checking for security software like Windows Defender or Kaspersky to help it avoid detection. The program is also cleverly designed to get its instructions by logging into a specific email account using the IMAP protocol to fetch the current location of its control server.

Researchers were able to confirm this behaviour when they accessed the threat actor’s email account, finding the criminal was using simple, easily-compromised credentials.

The threat actor’s email account accessed by SpiderLabs (Image credit: SpiderLabs)

****Stealing From Banks and Wallets****

Once active, the malware is programmed to watch for a long list of financial targets. It actively scans for applications linked to major Brazilian banks (like Itaú, Bradesco, and Caixa Econômica Federal), popular payment services (such as MercadoPago), and even cryptocurrency wallets and exchanges, including MetaMask, Trust Wallet, and Binance.

When a victim opens one of these targeted applications, the stealer deploys a fake screen, known as an overlay, that looks exactly like the login page. The victim unknowingly enters their sensitive information into this fake form, sending their credentials directly to the criminals.

To stay safe, be cautious of any unexpected messages or attachments, even if they appear to be from a known contact. If you receive a suspicious file, never open it; instead, call or text the supposed sender on a different platform to confirm they actually sent it.

New Eternidade Stealer Uses WhatsApp to Steal Banking Data

SquareX warns Perplexity's Comet AI browser contains a hidden MCP API that bypasses security, allowing attackers to install malware and seize full device control.

Security researchers from web browser security firm SquareX have issued a public warning after uncovering a vulnerability in Perplexity’s Comet AI browser. Their research, published on November 19, 2025, reveals a hidden feature that could allow cybercriminals complete control over a user’s computer.

****The Concealed API Threat****

The problem lies with a secretive mechanism called the MCP API (specifically, chrome.perplexity.mcp.addStdioServer). For your information, traditional web browsing relies on ‘sandbox isolation,’ a principle that intentionally locks down the browser environment to prevent websites or extensions from running programs on your PC.

However, the MCP API allows Comet’s own ‘embedded extensions’ to bypass this vital security layer, allowing them to execute any command on your device without asking for permission. This means that a breach could lead to malicious software installation, data theft, or device monitoring.

This feature has caused a massive breach of trust, particularly because official documentation for the MCP API is nearly non-existent, while the few available details only explain the feature’s intent, and don’t disclose that Comet’s extensions maintain persistent access to the API and can launch local applications arbitrarily. SquareX argues this functionality breaks decades of established browser security standards.

****Invisible Extensions, Zero Control****

Researchers found that the Comet browser comes pre-loaded with two hidden extensions: one for analytics and one for its AI agent features. These components power the browser’s agentic capabilities (its ability to act on your behalf). The MCP API resides in the Agentic extension and can be activated directly by the Perplexity website, creating a secret channel to access local data.

SquareX demonstrated the attack using extension stomping, where they disguised a malicious extension that then commanded the Agentic Extension to invoke the MCP API, and successfully launched WannaCry.

The team also noted that common vulnerabilities like XSS and MitM network attacks could be used to exploit this vulnerability just as easily. A compromise of Perplexity’s systems would instantly create a disastrous third-party risk, giving attackers unprecedented control over Comet users.

Attack demo (Credit: SquareX)

****Warning for the AI Browser Future****

While SquareX notes there is no evidence of Perplexity currently misusing this capability, the third-party risk remains substantial. They first contacted Perplexity to disclose the attack on Tuesday, November 4th, 2025, but as of the writing of their report, they had not received a reply. The firm clarified that this specific, vulnerable API has only been found in Comet among current AI browsers.

This discovery highlights inherent issues in the design of the new generation of AI browsers. SquareX is urging Perplexity and other AI browser makers to fully disclose all powerful APIs and provide users with a simple option to disable any embedded extensions that possess system-level access.

****Immediate Security Update: Perplexity Patches the Flaw****

SquareX has confirmed to us today that Perplexity has quietly fixed the vulnerability in the Comet browser. The firm noted that the attack they demonstrated now fails, showing the error message, ‘Local MCP is not enabled’ (see screenshot below). Since SquareX and other researchers were still able to carry out the attack just yesterday, it seems Perplexity deployed this fix very recently.

While SquareX is still waiting for a formal response from Perplexity about their initial report, the important thing is that users are no longer at risk from the MCP API exploit. The company looks forward to an official statement and remains committed to supporting Perplexity on security matters.

Security experts shared their analysis with Hackread.com on the broader implications for security and the enterprise. Randolph Barr, Chief Information Security Officer at Cequence Security, said the findings highlight a “deeper issue that goes beyond a single browser implementation.”

He emphasised that the shift breaks long-standing security assumptions: “AI-native browsers are introducing system-level behaviours that traditional browsers have intentionally restricted for decades… When embedded extensions can trigger OS-level actions… the browser effectively becomes a privileged agent on the device.”

Barr noted this creates an “expanded attack surface” driven by curiosity-driven adoption by employees on personal devices, behaviours that “inevitably bleed into the workplace.”

He also pointed out that AI browsers are easy targets, stating, “Attackers can identify them with a few lines of JavaScript or by probing for AI-specific behaviours… At scale, that enables targeted attacks against users running these higher-risk, agent-enabled environments.”

Ronald Lewis, Senior Innovation Manager at Black Duck, reminded users that AI browsers carry inherited risks alongside new ones. He pointed out that the Comet AI Browser “incorporates many of the risks associated with traditional browsers but also incorporates a significant number of AI-borne risks.”

Lewis suggested consumers be vigilant and proactively think about risks such as the potential for the AI tool to perform harmful or unexpected actions due to ambiguous instructions, whether it could respond to hidden system instructions, if external sources could manipulate the tool’s behaviour, and if third-party integrations could interact with the tool to trigger unintended actions.

Source

HackRead