Fake LinkedIn comments warning of account restrictions are designed to trick users into revealing their login details.

Recently, fake LinkedIn profiles have started posting comment replies claiming that a user has **“engaged in activities that are not in compliance”** with LinkedIn’s policies and that their account has been **“temporarily restricted”** until they submit an appeal through a specified link in the comment.

The comments come in different shapes and sizes, but here’s one example we found.

The accounts posting the comments all try to look like official LinkedIn bots and use various names. It’s likely they create new accounts when LinkedIn removes them. Either way, multiple accounts similar to the “Linked Very” one above were reported in a short period, suggesting automated creation and posting at scale.

The same pattern is true for the links. The shortened link used in the example above has already been disabled, while others point directly to phishing sites. Scammers often use shortened LinkedIn links to build trust, making targets believe the messages are legitimate. Because LinkedIn can quickly disable these links, attackers likely test different approaches to see which last the longest.

Here’s another example:

Malwarebytes blocks this last link based on the IP address:

If users follow these links, they are taken to a phishing page designed to steal their LinkedIn login details:

Image courtesy of BleepingComputer

A LinkedIn spokesperson confirmed to BleepingComputer they are aware of the situation:

> “I can confirm that we are aware of this activity and our teams are working to take action.”

**Stay safe**

In situations like this awareness is key—and now you know what to watch for. Some additional tips:

*   Don’t click on unsolicited links in private messages and comments without verifying with the trusted sender that they’re legitimate.
*   Always log in directly on the platform that you are trying to access, rather than through a link.
*   Use a password manager, which won’t auto-fill in credentials on fake websites.
*   Use a real-time, up-to-date anti-malware solution with a web protection module to block malicious sites.

Pro tip: The free Malwarebytes Browser Guard extension blocks known malicious websites and scripts.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Phishing scammers are posting fake “account restricted” comments on LinkedIn 

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

*   An HR Agent that provisions or deprovisions accounts across IAM, SaaS apps, VPNs, and cloud platforms based on HR system updates.
*   A Change Management Agent that validates a change request, updates configuration in production systems, logs approvals in ServiceNow, and updates documentation in Confluence.
*   A Customer Support Agent that retrieves customer context from CRM, checks account status in billing systems, triggers fixes in backend services, and updates the support ticket.

To deliver value at scale, organizational AI agents are designed to serve many users and roles. They are granted broader access permissions, compared to individual users, in order to access the tools and data required to operate efficiently.

The availability of these agents has unlocked real productivity gains: faster triage, reduced manual effort, and streamlined operations. But these early wins come with a hidden cost. As AI agents become more powerful and more deeply integrated, they also become access intermediaries. Their wide permissions can obscure who is actually accessing what, and under which authority. In focusing on speed and automation, many organizations are overlooking the new access risks being introduced.

**The Access Model Behind Organizational Agents**

Organizational agents are typically designed to operate across many resources, serving multiple users, roles, and workflows through a single implementation. Rather than being tied to an individual user, these agents act as shared resources that can respond to requests, automate tasks, and orchestrate actions across systems on behalf of many users. This design makes agents easy to deploy and scalable across the organization.

To function seamlessly, agents rely on shared service accounts, API keys, or OAuth grants to authenticate with the systems they interact with. These credentials are often long-lived and centrally managed, allowing the agent to operate continuously without user involvement. To avoid friction and ensure the agent can handle a wide range of requests, permissions are frequently granted broadly, covering more systems, actions, and data than any single user would typically require.

While this approach maximizes convenience and coverage, these design choices can unintentionally create powerful access intermediaries that bypass traditional permission boundaries.

**Breaking the Traditional Access Control Model**

Organizational agents often operate with permissions far broader than those granted to individual users, enabling them to span multiple systems and workflows. When users interact with these agents, they no longer access systems directly; instead, they issue requests that the agent executes on their behalf. Those actions run under the agent's identity, not the user's. This breaks traditional access control models, where permissions are enforced at the user level. A user with limited access can indirectly trigger actions or retrieve data they would not be authorized to access directly, simply by going through the agent. Because logs and audit trails attribute activity to the agent, not the requester, this privilege escalation can occur without clear visibility, accountability, or policy enforcement.

**Organizational Agents Can Quietly Bypass Access Controls**

The risks of agent-driven privilege escalation often surface in subtle, everyday workflows rather than overt abuse. For example, a user with limited access to financial systems may interact with an organizational AI agent to "summarize customer performance." The agent, operating with broader permissions, pulls data from billing, CRM, and finance platforms, returning insights that the user would not be authorized to view directly.

In another scenario, an engineer without production access asks an AI agent to "fix a deployment issue." The agent investigates logs, modifies configuration in a production environment, and triggers a pipeline restart using its own elevated credentials. The user never touched production systems, yet production was changed on their behalf.

In both cases, no explicit policy is violated. The agent is authorized, the request appears legitimate, and existing IAM controls are technically enforced. However, access controls are effectively bypassed because authorization is evaluated at the agent level, not the user level, creating unintended and often invisible privilege escalation.

**The Limits of Traditional Access Controls in the Age of AI Agents**

Traditional security controls are built around human users and direct system access, which makes them poorly suited for agent-mediated workflows. IAM systems enforce permissions based on who the user is, but when actions are executed by an AI agent, authorization is evaluated against the agent's identity, not the requester's. As a result, user-level restrictions no longer apply. Logging and audit trails compound the problem by attributing activity to the agent's identity, masking who initiated the action and why. With agents, security teams have lost the ability to enforce least privilege, detect misuse, or reliably attribute intent, allowing privilege escalation to occur without triggering traditional controls. The lack of attribution also complicates investigations, slows incident response, and makes it difficult to determine intent or scope during a security event.

**Uncovering Privilege Escalation in Agent-Centric Access Models**

As organizational AI agents take on operational responsibilities across multiple systems, security teams need clear visibility into how agent identities map to critical assets such as sensitive data and operational systems. It's essential to understand who is using each agent and whether gaps exist between a user's permissions and the agent's broader access, creating unintended privilege escalation paths. Without this context, excessive access can remain hidden and unchallenged. Security teams must also continuously monitor changes to both user and agent permissions, as access evolves over time. This ongoing visibility is critical to identifying new escalation paths as they are silently introduced, before they can be misused or lead to security incidents.

**Securing Agents' Adoption with Wing Security**

AI agents are rapidly becoming some of the most powerful actors in the enterprise. They automate complex workflows, move across systems, and act on behalf of many users at machine speed. But that power becomes dangerous when agents are over-trusted. Broad permissions, shared usage, and limited visibility can quietly turn AI agents into privilege escalation paths and security blind spots.

Secure agent adoption requires visibility, identity awareness, and continuous monitoring. Wing provides the required visibility by continuously discovering which AI agents operate in your environment, what they can access, and how they are being used. Wing maps agent access to critical assets, correlates agent activity with user context, and detects gaps where agent permissions exceed user authorization.

With Wing, organizations can embrace AI agents confidently, unlocking AI automation and efficiency without sacrificing control, accountability, or security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

AI Agents Are Becoming Privilege Escalation Paths

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum.

The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code.

****What is Max Messenger****

Max is a cross-platform messaging and multifunction app released on March 26, 2025, by the tech company VK through its subsidiary, Communication Platform LLC. It has been heavily promoted within Russia as a “national messenger” alternative to foreign services like WhatsApp and Telegram and has seen growth in registered users, reportedly reaching millions across Russia and neighboring countries.

The service provides messaging, voice, and video calls, file sharing, and is intended to integrate digital identity and service features for government and commerce. In many cases, devices sold in Russia and Belarus have been required to ship with Max pre-installed under government policy.

Max is positioned as more than a simple chat app, aiming to combine messaging with state services and additional tools, similar to China’s WeChat model. Critics and independent analysts have previously raised concerns about privacy and the potential for state access to metadata and user information, given Max’s structural integration with the Russian government’s digital infrastructure

****Details of the breach claim****

In the DarkForums post, CamelliaBtw claims to have exfiltrated the entire production database, estimating the total compressed data size at 142 GB. The hacker states that the stolen data includes:

*   **Approximately 15.4 million user records containing full names, usernames, and verified phone numbers.**
*   **Active authentication tokens capable of bypassing two-factor authentication.**
*   **Bcrypt hashed passwords.**
*   **Complete communication metadata, including timestamps and sender and receiver identifiers, dating back to the platform’s launch.**
*   **Internal infrastructure assets such as SSH keys, API documentation, and Amazon S3 bucket configurations.**
*   **Unencrypted media files stored in cloud storage.**
*   **Backend source code, including what the attacker claims are hardcoded backdoors inside the platform’s encryption module**.

The post alleges that access was achieved through a previously unknown remote code execution vulnerability in Max Messenger’s media processing engine. According to the attacker, the flaw could be triggered by injecting a malformed payload into sticker pack metadata, allowing persistent backend access. The hacker claims the vulnerability existed since the beta phase in early 2025 and was never patched.

****Extortion threat****

The post includes a direct ultimatum to Max Messenger’s developers. CamelliaBtw claims the company has already been notified privately, but has not responded. The attacker states they have verified accounts belonging to politicians and corporate executives who joined the platform during its early growth period.

If a financial settlement described as a “bug bounty” is not negotiated within 24 hours, the hacker threatens to release the first 5 GB of raw SQL database files across more than ten public torrent trackers.

CamelliaBtw’s post on DarkForums (Image credit: Hackread.com)

****No confirmation yet****

As of publication, Max Messenger has not issued a public statement confirming or denying the breach. No sample data has yet been released publicly to independently verify the claims. Cybersecurity experts note that while some breach announcements on underground forums are exaggerated, the level of technical detail provided in this post suggests the claims warrant serious scrutiny.

If confirmed, the incident would represent one of the most severe messaging platform breaches in recent years, with long term implications for user privacy, account security, and trust in encrypted communication services.

Hacker Claims Full Breach of Russia’s Max Messenger, Threatens Public Leak

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.

"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code," Trellix said in a report shared with The Hacker News. "This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses."

The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

Targets of the malicious activity include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors like oil and gas and import and export, with lures written in Arabic, Spanish, Portuguese, Farsi, and English, suggesting the attacks are restricted to a specific region.

The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it's susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The "ahost.exe" executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken's Desktop application.

An analysis of the artifact on VirusTotal reveals that it's distributed under dozens of names, including, but not limited to, "RFQ\_NO\_04958\_LG2049 pdf.exe," "PO-069709-MQ02959-Order-S103509.exe," "23RDJANUARY OVERDUE.INV.PDF.exe," "sales contract po-00423-025\_pdf.exe," and "Fatura da DHL.exe," indication the use of invoice and request for quote (RFQ) themes to trick users into opening it.

"This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken's ahost.exe to bypass security defenses," Trellix said. "By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft."

The disclosure comes as Trellix also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials. This works by creating a fake pop-up within the victim's legitimate browser window using an iframe element, making it virtually impossible to differentiate between a genuine and bogus login page.

"The attack often starts with a phishing email, which may be disguised as a communication from a law firm," researcher Mark Joseph Marti said. "This email typically contains a fake legal notice regarding an infringing video and includes a hyperlink disguised as a Facebook login link."

As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that instructs victims to sign in to their Facebook account. This, in turn, triggers a pop-up window that employs the BitB method to display a fake login screen designed to harvest their credentials.

Other variants of the social engineering campaign leverage phishing emails claiming copyright violations, unusual login alerts, impending account shutdowns due to suspicious activity, or potential security exploits. These messages are designed to induce a false sense of urgency and lead victims to pages hosted on Netlify or Vercel to capture their credentials. There is evidence to suggest that the phishing attacks may have been ongoing since July 2025.

"By creating a custom-built, fake login pop-up window within the victim's browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually," Trellix said. "The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages."

The findings coincide with the discovery of a multi-stage phishing campaign that exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links pointing to ZIP archives containing an internet shortcut (URL) file. Details of the campaign were first documented by Forcepoint X-Labs in February 2025.

"The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server," Trend Micro said. "These scripts facilitated the download of batch files and further payloads, ensuring a seamless and persistent infection routine."

A standout aspect of the attack is the abuse of living-off-the-land (LotL) techniques that employ Windows Script Host, PowerShell, and native utilities, as well as Cloudflare's free-tier infrastructure to host the WebDAV server and evade detection.

The scripts staged on TryCloudflare domains are engineered to install a Python environment, establish persistence via Windows startup folder scripts, and inject the AsyncRAT shellcode into an "explorer.exe" process. In tandem, a decoy PDF is displayed to the victim as a distraction mechanism and misleads them into thinking that a legitimate document was accessed.

"The AsyncRAT campaign analyzed in this report demonstrates the increasing sophistication of threat actors in abusing legitimate services and open-source tools to evade detection and establish persistent remote access," Trend Micro said. "By utilizing Python-based scripts and abusing Cloudflare's free-tier infrastructure for hosting malicious payloads, the attackers successfully masked their activities under trusted domains, bypassing traditional security controls."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.

Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.

For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.

****Zero-Day Threats and Active Risks****

One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:

CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.

Patches details (Source: Qualys)

Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.

CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full _SYSTEM_ control. Microsoft fixed this by removing the old drivers entirely.

CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.

****Critical Fixes for Office and Windows****

The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.

It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the _Preview Pane._

****Insights from Security Researchers****

In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.

The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.

It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed

Austin, TX / USA, 14th January 2026, CyberNewsWire

**Austin, TX / USA, January 14th, 2026, CyberNewsWire**

**New monitoring capability delivers unprecedented visibility into vendor identity exposures, moving enterprises and government agencies from static risk scoring to protecting against actual identity threats.** 

SpyCloud, the leader in identity threat protection, today announced the launch of its **Supply Chain Threat Protection** solution, an advanced layer of defense that expands identity threat protection across the extended workforce, including organizations’ entire vendor ecosystems. Unlike traditional third-party risk management platforms that rely on external surface indicators and static scoring, SpyCloud Supply Chain Threat Protection provides timely access to identity threats derived from billions of recaptured breach, malware, phished, and combolist data assets, empowering organizations – from enterprise security teams to public sector agencies – to act on credible threats rather than simply observe and accept risk.

Supply Chain Threat Protection addresses a critical gap in enterprise security: the inability to maintain real-time awareness of identity exposures affecting third-party partners and vendors. According to the 2025 Verizon Data Breach Investigations Report, third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% primarily due to software vulnerabilities and weak security practices. As supply chain compromises continue to escalate, security teams need intelligence that goes beyond questionnaires and external scans to reveal active threats like phishing campaigns targeting their trusted partners, confirmed credential theft, and malware-infected devices exposing critical business applications to criminals. 

For government agencies and critical infrastructure operators, supply chain threats present national security risks that demand heightened vigilance. Public sector organizations managing sensitive data and critical services increasingly rely on contractors and technology vendors whose compromised credentials could provide adversaries with pathways into classified systems or essential infrastructure. Last year alone, the top 98 Defense Industrial Base suppliers had over 11,000 dark web exposed credentials – an 81% increase from the previous year. SpyCloud Supply Chain Threat Protection enables federal, state, and local agencies to identify when suppliers or contractors have been compromised – allowing them to take proactive measures before an identity exposure escalates into a matter of national security.

> “Third-party threats have evolved far beyond what traditional vendor assessment tools can detect,” said Damon Fleury, Chief Product Officer at SpyCloud. “Public and private sector organizations need to know when their vendors’ employees are actively compromised by malware or phishes, when authentication data is circulating on the dark web, and which partners pose the greatest real downstream threat to their business. Our new solution delivers those signals by transforming raw underground data into clear, prioritized actions that security teams use to protect their organization.”

Supply Chain Threat Protection enables organizations and agencies to continuously monitor thousands of suppliers, with each company’s threats enumerated in detail, and also represented in an at-a-glance Identity Threat Index. The Index is a comprehensive and continuously updated analysis that quantifies vendor security posture through the lens of identity exposure, from both active and historical phishing, breach, and malware sources, and surfaces which partners pose the most significant risk based on verified dark web intelligence.

**Key Capabilities Include:**

*   **Real Evidence of Compromise:** Timely recaptured identity data from breaches, malware, and successful phishes collected continuously from the criminal underground, with context that gives security teams enhanced visibility into the identity threats facing suppliers today.
*   **Identity Threat Index:** Aggregates multiple verified data sources weighted by the recency, volume, credibility, and severity of compromise, emphasizing verified identity data over static breach records for more robust and real-time visibility into vendor risk.
*   **Compromised Applications**: Identifies the internal and third-party business applications exposed on malware-infected supplier devices to support deeper investigation and risk assessment.
*   **Enhanced Vendor Management and Communications:** Facilitates sharing of actionable evidence and detailed executive-level reports directly with vendors to collaboratively improve security posture, transforming vendor relationships from adversarial scoring to collaborative protection.
*   **Integrated Response:** Leveraging SpyCloud’s console, teams now have access to identity threat protection beyond the traditional employee perimeter with this extension to suppliers, allowing analysts to respond to workforce identity threats within a single tool. 

SpyCloud Supply Chain Threat Protection is designed to support multiple use cases across Security Operations, Infosec, Vendor Risk Management, and GRC teams. Organizations can leverage the solution for vendor due diligence during procurement and onboarding, continuous risk reviews to strengthen vendor relationships, and accelerated incident response when vendor exposures threaten their own environments.

> “Security teams and their counterparts across the business are overwhelmed with vendor assessments, questionnaires, and risk scores that often don’t translate to real prevention,” said Alex Greer, Group Product Manager at SpyCloud. “Our customers have often reported that when they’re evaluating doing business with a new vendor, they lack the actionable data their legal and compliance teams need for evidence-based decision making. That’s where SpyCloud stands out. Surfacing verified identity threats tied directly to vendor compromise, letting teams escalate to leadership when to restrict data access and prioritize efforts for the greatest impact on reducing organizational risk.”

Unlike existing solutions that rely on external surface indicators and static scoring, SpyCloud provides threat data derived from underground sources – the same recaptured darknet identity data that criminals actively use to target organizations and agencies. This fundamental difference enables SpyCloud customers to move from passive risk acceptance to proactive and holistic identity threat protection.

To learn more about defending organizations from the exposures of vendors and suppliers, registration is open for SpyCloud’s upcoming Live Virtual Event, **Beyond Vendor Risk Scores: How to Solve the Hidden Identity Crisis in Your Supply Chain,** on **Thursday, January 22, 2026, at 11 am CT**. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, users can visit spycloud.com.

**Contact**

**Media Specialist**  
**Phil Tortora**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Launches Supply Chain Solution to Combat Rising Third-Party Identity Threats

Cypher Injection vulnerability in Apache Camel camel-neo4j component.

This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0

Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4jrw-64vr-7g8m: Apache Camel camel-neo4j component is vulnerable to cypher injection

A Magecart campaign is skimming card data from online checkouts tied to major payment networks, including AmEx, Diners Club, and Mastercard.

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard.

Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming.

In the early days, Magecart started as a loose coalition of threat actors targeting Magento‑based web stores. Today, the name is used more broadly to describe web-skimming operations against many e‑commerce platforms. In these attacks, criminals inject JavaScript into legitimate checkout pages to capture card data and personal details as shoppers enter them.

The campaign described by the researchers has been active since early 2022. They found a vast network of domains related to a long-running credit card skimming operation with a wide reach.

> “This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.”

Attackers typically plant web skimmers on e-commerce sites by exploiting vulnerabilities in supply chains, third-party scripts, or the sites themselves. This is why web shop owners need to stay vigilant by keeping systems up to date and monitoring their content management system (CMS).

Web skimmers usually hook into the checkout flow using JavaScript. They are designed to read form fields containing card numbers, expiry dates, card verification codes (CVC), and billing or shipping details, then send that data to the attackers.

To avoid detection, the JavaScript is heavily obfuscated to and may even trigger a self‑destruct routine to remove the skimmer from the page. This can cause investigations performed through an admin session to appear unsuspicious.

Besides other methods to stay hidden, the campaign uses bulletproof hosting for a stable environment. Bulletproof hosting refers to web hosting services designed to shield cybercriminals by deliberately ignoring abuse complaints, takedown requests, and law enforcement actions.

**How to stay safe**

Magecart campaigns affect three groups: customers, merchants, and payment providers. Because web skimmers operate inside the browser, they can bypass many traditional server‑side fraud controls.

While shoppers cannot fix compromised checkout pages themselves, they can reduce their exposure and improve their chances of spotting fraud early.

A few things you can protect against the risk of web skimmers:

*   **Use virtual or single‑use cards** for online purchases so any skimmed card number has a limited lifetime and spending scope.
*   **Where possible, turn on transaction alerts** (SMS, email, or app push) for card activity and review statements regularly to spot unsolicited charges quickly.
*   **Use strong, unique passwords** on bank and card portals so attackers cannot easily pivot from stolen card data to full account takeover.
*   **Use a web protection solution** to avoid connecting to malicious domains.

Pro tip: Malwarebytes Browser Guard is free and blocks known malicious sites and scripts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Online shoppers at risk as Magecart skimming hits major payment networks 

Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.
The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
"An improper neutralization of special elements used in an OS command ('OS command

Vulnerability / Patch Management

Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.

The operating system (OS) injection vulnerability, tracked as **CVE-2025-64155**, is rated 9.4 out of 10.0 on the CVSS scoring system.

"An improper neutralization of special elements used in an OS command ('OS command injection') vulnerability \[CWE-78\] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," the company said in a Tuesday bulletin.

Fortinet said the vulnerability affects only Super and Worker nodes, and that it has been addressed in the following versions -

*   FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
*   FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
*   FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
*   FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
*   FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
*   FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
*   FortiSIEM 7.5 (Not affected)
*   FortiSIEM Cloud (Not affected)

Horizon3.ai security researcher Zach Hanley, who is credited with discovering and reporting the flaw on August 14, 2025, said it comprises two moving parts -

*   An unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user
*   A file overwrite privilege escalation vulnerability that leads to root access and completely compromises the appliance

Specifically, the problem has to do with how FortiSIEM's phMonitor service – a crucial backend process responsible for health monitoring, task distribution, and inter-node communication via TCP port 7900 – handles incoming requests related to logging security events to Elasticsearch.

This, in turn, invokes a shell script with user-controlled parameters, thereby opening the door to argument injection via curl and achieving arbitrary file writes to the disk in the context of the admin user.

This limited file write can be weaponized to achieve full system takeover by weaponizing the curl argument injection to write a reverse shell to "/opt/charting/redishb.sh," a file that's writable by an admin user and is executed every minute by the appliance by means of a cron job that runs with root-level permissions.

In other words, writing a reverse shell to this file enables privilege escalation from admin to root, granting the attacker unfettered access to the FortiSIEM appliance. The most important aspect of the attack is that the phMonitor service exposes several command handlers that do not require authentication. This makes it easy for an attacker to invoke these functions simply by obtaining network access to port 7900.

Fortinet has also shipped fixes for another critical security vulnerability in FortiFone (CVE-2025-47855, CVSS score: 9.3) that could allow an unauthenticated attacker to obtain device configuration via a specially crafted HTTP(S) request to the Web Portal page. It impacts the following versions of the enterprise communications platform -

*   FortiFone 3.0.13 through 3.0.23 (Upgrade to 3.0.24 or above)
*   FortiFone 7.0.0 through 7.0.1 (Upgrade to 7.0.2 or above)
*   FortiFone 7.2 (Not affected)

Users are advised to update to the latest versions for optimal protection. As workarounds for CVE-2025-64155, Fortinet is recommending that customers limit access to the phMonitor port (7900).

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution

Attackers use legitimate open-source software as cover, relying on user trust to compromise systems. We dive into an example.

It starts with a simple search.

You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding.

You install the software, launch it, and everything works exactly as expected.

What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer.

That’s exactly what we observed in a campaign using the fake domain **rustdesk\[.\]work**.

**The bait: a near-perfect impersonation**

We identified a malicious website at **rustdesk\[.\]work** impersonating the legitimate RustDesk project, which is hosted at **rustdesk.com**. The fake site closely mirrors the real one, complete with multilingual content and prominent warnings claiming (ironically) that rustdesk\[.\]work is the _only_ _official domain_.

This campaign doesn’t exploit software vulnerabilities or rely on advanced hacking techniques. It succeeds entirely through deception. When a website looks legitimate and the software behaves normally, most users never suspect anything is wrong.

**What happens when you run the installer**

The installer performs a deliberate bait-and-switch:

1.  It installs **real RustDesk**, fully functional and unmodified
2.  It quietly installs **a hidden backdoor**, a malware framework known as **Winos4.0**

The user sees RustDesk launch normally. Everything appears to work. Meanwhile, the backdoor quietly establishes a connection to the attacker’s server.

By bundling malware with working software, attackers remove the most obvious red flag: broken or missing functionality. From the user’s point of view, nothing feels wrong.

**Inside the infection chain**

The malware executes through a staged process, with each step designed to evade detection and establish persistence:

**Stage 1: The trojanized installer**

The downloaded file (rustdesk-1.4.4-x86_64.exe) acts as both **dropper and decoy**. It writes two files to disk:

*   The legitimate RustDesk installer, which is executed to maintain cover
*   logger.exe, the Winos4.0 payload

The malware hides in plain sight. While the user watches RustDesk install normally, the malicious payload is quietly staged in the background.

**Stage 2: Loader execution**

The logger.exe file is a loader — its job is to set up the environment for the main implant. During execution, it:

*   Creates a new process
*   Allocates executable memory
*   Transitions execution to a new runtime identity: Libserver.exe

This loader-to-implant handoff is a common technique in sophisticated malware to separate the initial dropper from the persistent backdoor.

By changing its process name, the malware makes forensic analysis harder. Defenders looking for “logger.exe” won’t find a running process with that name.

**Stage 3: In-memory module deployment**

The Libserver.exe process unpacks the actual Winos4.0 framework entirely in memory. Several WinosStager DLL modules—and a large ~128 MB payload—are loaded without being written to disk as standalone files.

Traditional antivirus tools focus on scanning files on disk (file-based detection). By keeping its functional components in memory only, the malware significantly reduces the effectiveness of file-based detection. This is why behavioral analysis and memory scanning are critical for detecting threats like Winos4.0.

The secondary payload is identified as **Winos4.0 (WinosStager)**: a sophisticated remote access framework that has been observed in multiple campaigns, particularly targeting users in Asia.

Once active, it allows attackers to:

*   Monitor victim activity and capture screenshots
*   Log keystrokes and steal credentials
*   Download and execute additional malware
*   Maintain persistent access even after system reboots

This isn’t simple malware—it’s a full-featured attack framework. Once installed, attackers have a foothold they can use to conduct espionage, steal data, or deploy ransomware at a time of their choosing.

**Technical detail: How the malware hides**

The malware employs several techniques to avoid detection:

**What it does**

**How it achieves this**

**Why it matters**

**Runs entirely in memory**

Loads executable code without writing files

Evades file-based detection

**Detects analysis environments**

Checks available system memory and looks for debugging tools

Prevents security researchers from analyzing its behavior

**Checks system language**

Queries locale settings via the Windows registry

May be used to target (or avoid) specific geographic regions

**Clears browser history**

Invokes system APIs to delete browsing data

Removes evidence of how the victim found the malicious site

**Hides configuration in the registry**

Stores encrypted data in unusual registry paths

Hides configuration from casual inspection

****Command-and-control activity****

Shortly after installation, the malware connects to an attacker-controlled server:

*   **IP:** 207.56.13\[.\]76
*   **Port:** 5666/TCP

This connection allows attackers to send commands to the infected machine and receive stolen data in return. Network analysis confirmed sustained two-way communication consistent with an established command-and-control session.

****How the malware blends into normal traffic****

The malware is particularly clever in how it disguises its network activity:

**Destination**

**Purpose**

207.56.13\[.\]76:5666

**Malicious:** Command-and-control server

209.250.254.15:21115-21116

**Legitimate:** RustDesk relay traffic

api.rustdesk.com:443

**Legitimate:** RustDesk API

Because the victim installed real RustDesk, the malware’s network traffic is mixed with legitimate remote desktop traffic. This makes it much harder for network security tools to identify the malicious connections: the infected computer looks like it’s just running RustDesk.

**What this campaign reveals**

This attack demonstrates a troubling trend: legitimate software used as camouflage for malware.

The attackers didn’t need to find a zero-day vulnerability or craft a sophisticated exploit. They simply:

1.  Registered a convincing domain name
2.  Cloned a legitimate website
3.  Bundled real software with their malware
4.  Let the victim do the rest

This approach works because it exploits human trust rather than technical weaknesses. When software behaves exactly as expected, users have no reason to suspect compromise.

**Indicators of compromise****File hashes (SHA256)**

File

SHA256

Classification

Trojanized installer

330016ab17f2b03c7bc0e10482f7cb70d44a46f03ea327cd6dfe50f772e6af30

Malicious

logger.exe / Libserver.exe

5d308205e3817adcfdda849ec669fa75970ba8ffc7ca643bf44aa55c2085cb86

Winos4.0 loader

RustDesk binary

c612fd5a91b2d83dd9761f1979543ce05f6fa1941de3e00e40f6c7cdb3d4a6a0

Legitimate

**Network indicators**

**Malicious domain:** rustdesk\[.\]work

**C2 server:** 207.56.13\[.\]76:5666/TCP

**In-memory payloads**

During execution, the malware unpacks several additional components directly into memory:

**SHA256**

**Size**

**Type**

a71bb5cf751d7df158567d7d44356a9c66b684f2f9c788ed32dadcdefd9c917a

107 KB

WinosStager DLL

900161e74c4dbab37328ca380edb651dc3e120cfca6168d38f5f53adffd469f6

351 KB

WinosStager DLL

770261423c9b0e913cb08e5f903b360c6c8fd6d70afdf911066bc8da67174e43

362 KB

WinosStager DLL

1354bd633b0f73229f8f8e33d67bab909fc919072c8b6d46eee74dc2d637fd31

104 KB

WinosStager DLL

412b10c7bb86adaacc46fe567aede149d7c835ebd3bcab2ed4a160901db622c7

~128 MB

In-memory payload

00781822b3d3798bcbec378dfbd22dc304b6099484839fe9a193ab2ed8852292

307 KB

In-memory payload

**How to protect yourself**

The rustdesk\[.\]work campaign shows how attackers can gain access without exploits, warnings, or broken software. By hiding behind trusted open-source tools, this attack achieved persistence and cover while giving victims no reason to suspect compromise.

The takeaway is simple: _software behaving normally does not mean it’s safe._ Modern threats are designed to blend in, making layered defenses and behavioral detection essential.

**For individuals:**

*   **Always verify download sources.** Before downloading software, check that the domain matches the official project. For RustDesk, the legitimate site is rustdesk.com—not rustdesk.work or similar variants.
*   **Be suspicious of search results.** Attackers use SEO poisoning to push malicious sites to the top of search results. When possible, navigate directly to official websites rather than clicking search links.
*   **Use security software.** Malwarebytes Premium Security detects malware families like Winos4.0, even when bundled with legitimate software.

**For businesses:**

*   **Monitor for unusual network connections.** Outbound traffic on port 5666/TCP, or connections to unfamiliar IP addresses from systems running remote desktop software, should be investigated.
*   **Implement application allowlisting.** Restrict which applications can run in your environment to prevent unauthorized software execution.
*   **Educate users about typosquatting.** Training programs should include examples of fake websites and how to verify legitimate download sources.
*   **Block known malicious infrastructure.** Add the IOCs listed above to your security tools.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Passionate about antivirus solutions, Stefan has been involved in malware testing and AV product QA from an early age. As part of the Malwarebytes team, Stefan is dedicated to protecting customers and ensuring their security.

Tag

#auth