The company, one of four finalists in this year's Black Hat USA Startup Spotlight competition, uses multi-agent system to build AI Digital Employees.

Startup Spotlight: Twine Security Tackles the Execution Gap

The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025.
AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS)

The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025.

AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS) attacks and relay malicious traffic for residential proxy services.

Details about Kimwolf emerged last month when QiAnXin XLab published an exhaustive analysis of the malware, which turns compromised devices – mostly unsanctioned Android TV streaming devices – into a residential proxy by delivering a software development kit (SDK) called ByteConnect either directly or through sketchy apps that come pre-installed on them.

The net result is that the botnet has expanded to infect more than 2 million Android devices with an exposed Android Debug Bridge (ADB) service by tunneling through residential proxy networks, thereby allowing the threat actors to compromise a wide swath of TV boxes.

A subsequent report from Synthient has revealed Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash.

Black Lotus Labs said it identified in September 2025 a group of residential SSH connections originating from multiple Canadian IP addresses based on its analysis of backend C2 for Aisuru at 65.108.5\[.\]46, with the IP addresses using SSH to access 194.46.59\[.\]169, which proxy-sdk.14emeliaterracewestroxburyma02132\[.\]su.

It's worth noting that the second-level domain surpassed Google in Cloudflare's list of top 100 domains in November 2025, prompting the web infrastructure company to scrub it from the list.

Then, in early October 2025, the cybersecurity company said it identified another C2 domain – greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132\[.\]su – that resolved to 104.171.170\[.\]21, an IP address belonging to Utah-based hosting provider Resi Rack LLC. The company advertises itself as a "Premium Game Server Hosting Provider."

This link is crucial, as a recent report from independent security journalist Brian Krebs revealed how people behind various proxy services based on the botnets were peddling their warez on a Discord server called resi\[.\]to. This also includes Resi Rack's co-founders, who are said to have been actively engaged in selling proxy services via Discord for nearly two years.

The server, which has since disappeared, was owned by someone named "d" (assessed to be short for the handle "Dort"), with Snow believed to be the botmaster.

"In early October, we observed a 300% surge in the number of new bots added to Kimwolf over a 7-day period, which was the start of an increase that reached 800,000 total bots by mid-month," Black Lotus Labs said. "Nearly all of the bots in this surge were found listed for sale on a single residential proxy service."

Subsequently, the Kimwolf C2 architecture was found to scan PYPROXY and other services for vulnerable devices between October 20, 2025, and November 6, 2025 -- a behavior explained by the botnet's exploitation of a security flaw in many proxy services that made it possible to interact with devices on the internal networks of residential proxy endpoints and drop the malware.

This, in turn, turns the device into a residential proxy node, causing its public IP address (assigned by the Internet Service Provider) to be listed for rent on a residential proxy provider site. Threat actors, such as those behind these botnets, then lease access to the infected node and weaponize it to scan the local network for devices with ADB mode enabled for further propagation.

"After one successful null route \[in October 2025\], we observed the greatfirewallisacensorshiptool domain move to 104.171.170\[.\]201, another Resi Rack LLC IP," Black Lotus Labs noted. "As this server stood up, we saw a large spike of traffic with 176.65.149\[.\]19:25565, a server used to host their malware. This was on a common ASN that was used by the Aisuru botnet at the same time."

The disclosure comes against the backdrop of a report from Chawkr that detailed a sophisticated proxy network containing 832 compromised KeeneticOS routers operating across Russian ISPs, such as Net By Net Holding LLC, VladLink, and GorodSamara.

"The consistent SSH fingerprints and identical configurations across all 832 devices point toward automated mass exploitation, whether leveraging stolen credentials, embedded backdoors, or known security flaws in the router firmware," it said. "Each compromised router maintains both HTTP (port 80) and SSH (port 22) access."

Given that these compromised SOHO routers function as residential proxy nodes, they provide threat actors with the ability to conduct malicious activities by blending into normal internet traffic. This illustrates how adversaries are increasingly leveraging consumer devices as conduits for multi-stage attacks.

"Unlike datacenter IPs or addresses from known hosting providers, these residential endpoints operate below the radar of most security vendor reputation lists and threat intelligence feeds," Chawkr noted.

"Their legitimate residential classification and clean IP reputation allow malicious traffic to masquerade as ordinary consumer activity, evading detection mechanisms that would immediately flag requests originating from suspicious hosting infrastructure or known proxy services."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers

Fake LinkedIn comments warning of account restrictions are designed to trick users into revealing their login details.

Recently, fake LinkedIn profiles have started posting comment replies claiming that a user has **“engaged in activities that are not in compliance”** with LinkedIn’s policies and that their account has been **“temporarily restricted”** until they submit an appeal through a specified link in the comment.

The comments come in different shapes and sizes, but here’s one example we found.

The accounts posting the comments all try to look like official LinkedIn bots and use various names. It’s likely they create new accounts when LinkedIn removes them. Either way, multiple accounts similar to the “Linked Very” one above were reported in a short period, suggesting automated creation and posting at scale.

The same pattern is true for the links. The shortened link used in the example above has already been disabled, while others point directly to phishing sites. Scammers often use shortened LinkedIn links to build trust, making targets believe the messages are legitimate. Because LinkedIn can quickly disable these links, attackers likely test different approaches to see which last the longest.

Here’s another example:

Malwarebytes blocks this last link based on the IP address:

If users follow these links, they are taken to a phishing page designed to steal their LinkedIn login details:

Image courtesy of BleepingComputer

A LinkedIn spokesperson confirmed to BleepingComputer they are aware of the situation:

> “I can confirm that we are aware of this activity and our teams are working to take action.”

**Stay safe**

In situations like this awareness is key—and now you know what to watch for. Some additional tips:

*   Don’t click on unsolicited links in private messages and comments without verifying with the trusted sender that they’re legitimate.
*   Always log in directly on the platform that you are trying to access, rather than through a link.
*   Use a password manager, which won’t auto-fill in credentials on fake websites.
*   Use a real-time, up-to-date anti-malware solution with a web protection module to block malicious sites.

Pro tip: The free Malwarebytes Browser Guard extension blocks known malicious websites and scripts.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Phishing scammers are posting fake “account restricted” comments on LinkedIn 

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

*   An HR Agent that provisions or deprovisions accounts across IAM, SaaS apps, VPNs, and cloud platforms based on HR system updates.
*   A Change Management Agent that validates a change request, updates configuration in production systems, logs approvals in ServiceNow, and updates documentation in Confluence.
*   A Customer Support Agent that retrieves customer context from CRM, checks account status in billing systems, triggers fixes in backend services, and updates the support ticket.

To deliver value at scale, organizational AI agents are designed to serve many users and roles. They are granted broader access permissions, compared to individual users, in order to access the tools and data required to operate efficiently.

The availability of these agents has unlocked real productivity gains: faster triage, reduced manual effort, and streamlined operations. But these early wins come with a hidden cost. As AI agents become more powerful and more deeply integrated, they also become access intermediaries. Their wide permissions can obscure who is actually accessing what, and under which authority. In focusing on speed and automation, many organizations are overlooking the new access risks being introduced.

**The Access Model Behind Organizational Agents**

Organizational agents are typically designed to operate across many resources, serving multiple users, roles, and workflows through a single implementation. Rather than being tied to an individual user, these agents act as shared resources that can respond to requests, automate tasks, and orchestrate actions across systems on behalf of many users. This design makes agents easy to deploy and scalable across the organization.

To function seamlessly, agents rely on shared service accounts, API keys, or OAuth grants to authenticate with the systems they interact with. These credentials are often long-lived and centrally managed, allowing the agent to operate continuously without user involvement. To avoid friction and ensure the agent can handle a wide range of requests, permissions are frequently granted broadly, covering more systems, actions, and data than any single user would typically require.

While this approach maximizes convenience and coverage, these design choices can unintentionally create powerful access intermediaries that bypass traditional permission boundaries.

**Breaking the Traditional Access Control Model**

Organizational agents often operate with permissions far broader than those granted to individual users, enabling them to span multiple systems and workflows. When users interact with these agents, they no longer access systems directly; instead, they issue requests that the agent executes on their behalf. Those actions run under the agent's identity, not the user's. This breaks traditional access control models, where permissions are enforced at the user level. A user with limited access can indirectly trigger actions or retrieve data they would not be authorized to access directly, simply by going through the agent. Because logs and audit trails attribute activity to the agent, not the requester, this privilege escalation can occur without clear visibility, accountability, or policy enforcement.

**Organizational Agents Can Quietly Bypass Access Controls**

The risks of agent-driven privilege escalation often surface in subtle, everyday workflows rather than overt abuse. For example, a user with limited access to financial systems may interact with an organizational AI agent to "summarize customer performance." The agent, operating with broader permissions, pulls data from billing, CRM, and finance platforms, returning insights that the user would not be authorized to view directly.

In another scenario, an engineer without production access asks an AI agent to "fix a deployment issue." The agent investigates logs, modifies configuration in a production environment, and triggers a pipeline restart using its own elevated credentials. The user never touched production systems, yet production was changed on their behalf.

In both cases, no explicit policy is violated. The agent is authorized, the request appears legitimate, and existing IAM controls are technically enforced. However, access controls are effectively bypassed because authorization is evaluated at the agent level, not the user level, creating unintended and often invisible privilege escalation.

**The Limits of Traditional Access Controls in the Age of AI Agents**

Traditional security controls are built around human users and direct system access, which makes them poorly suited for agent-mediated workflows. IAM systems enforce permissions based on who the user is, but when actions are executed by an AI agent, authorization is evaluated against the agent's identity, not the requester's. As a result, user-level restrictions no longer apply. Logging and audit trails compound the problem by attributing activity to the agent's identity, masking who initiated the action and why. With agents, security teams have lost the ability to enforce least privilege, detect misuse, or reliably attribute intent, allowing privilege escalation to occur without triggering traditional controls. The lack of attribution also complicates investigations, slows incident response, and makes it difficult to determine intent or scope during a security event.

**Uncovering Privilege Escalation in Agent-Centric Access Models**

As organizational AI agents take on operational responsibilities across multiple systems, security teams need clear visibility into how agent identities map to critical assets such as sensitive data and operational systems. It's essential to understand who is using each agent and whether gaps exist between a user's permissions and the agent's broader access, creating unintended privilege escalation paths. Without this context, excessive access can remain hidden and unchallenged. Security teams must also continuously monitor changes to both user and agent permissions, as access evolves over time. This ongoing visibility is critical to identifying new escalation paths as they are silently introduced, before they can be misused or lead to security incidents.

**Securing Agents' Adoption with Wing Security**

AI agents are rapidly becoming some of the most powerful actors in the enterprise. They automate complex workflows, move across systems, and act on behalf of many users at machine speed. But that power becomes dangerous when agents are over-trusted. Broad permissions, shared usage, and limited visibility can quietly turn AI agents into privilege escalation paths and security blind spots.

Secure agent adoption requires visibility, identity awareness, and continuous monitoring. Wing provides the required visibility by continuously discovering which AI agents operate in your environment, what they can access, and how they are being used. Wing maps agent access to critical assets, correlates agent activity with user context, and detects gaps where agent permissions exceed user authorization.

With Wing, organizations can embrace AI agents confidently, unlocking AI automation and efficiency without sacrificing control, accountability, or security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

AI Agents Are Becoming Privilege Escalation Paths

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.

"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code," Trellix said in a report shared with The Hacker News. "This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses."

The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

Targets of the malicious activity include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors like oil and gas and import and export, with lures written in Arabic, Spanish, Portuguese, Farsi, and English, suggesting the attacks are restricted to a specific region.

The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it's susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The "ahost.exe" executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken's Desktop application.

An analysis of the artifact on VirusTotal reveals that it's distributed under dozens of names, including, but not limited to, "RFQ\_NO\_04958\_LG2049 pdf.exe," "PO-069709-MQ02959-Order-S103509.exe," "23RDJANUARY OVERDUE.INV.PDF.exe," "sales contract po-00423-025\_pdf.exe," and "Fatura da DHL.exe," indication the use of invoice and request for quote (RFQ) themes to trick users into opening it.

"This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken's ahost.exe to bypass security defenses," Trellix said. "By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft."

The disclosure comes as Trellix also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials. This works by creating a fake pop-up within the victim's legitimate browser window using an iframe element, making it virtually impossible to differentiate between a genuine and bogus login page.

"The attack often starts with a phishing email, which may be disguised as a communication from a law firm," researcher Mark Joseph Marti said. "This email typically contains a fake legal notice regarding an infringing video and includes a hyperlink disguised as a Facebook login link."

As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that instructs victims to sign in to their Facebook account. This, in turn, triggers a pop-up window that employs the BitB method to display a fake login screen designed to harvest their credentials.

Other variants of the social engineering campaign leverage phishing emails claiming copyright violations, unusual login alerts, impending account shutdowns due to suspicious activity, or potential security exploits. These messages are designed to induce a false sense of urgency and lead victims to pages hosted on Netlify or Vercel to capture their credentials. There is evidence to suggest that the phishing attacks may have been ongoing since July 2025.

"By creating a custom-built, fake login pop-up window within the victim's browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually," Trellix said. "The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages."

The findings coincide with the discovery of a multi-stage phishing campaign that exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links pointing to ZIP archives containing an internet shortcut (URL) file. Details of the campaign were first documented by Forcepoint X-Labs in February 2025.

"The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server," Trend Micro said. "These scripts facilitated the download of batch files and further payloads, ensuring a seamless and persistent infection routine."

A standout aspect of the attack is the abuse of living-off-the-land (LotL) techniques that employ Windows Script Host, PowerShell, and native utilities, as well as Cloudflare's free-tier infrastructure to host the WebDAV server and evade detection.

The scripts staged on TryCloudflare domains are engineered to install a Python environment, establish persistence via Windows startup folder scripts, and inject the AsyncRAT shellcode into an "explorer.exe" process. In tandem, a decoy PDF is displayed to the victim as a distraction mechanism and misleads them into thinking that a legitimate document was accessed.

"The AsyncRAT campaign analyzed in this report demonstrates the increasing sophistication of threat actors in abusing legitimate services and open-source tools to evade detection and establish persistent remote access," Trend Micro said. "By utilizing Python-based scripts and abusing Cloudflare's free-tier infrastructure for hosting malicious payloads, the attackers successfully masked their activities under trusted domains, bypassing traditional security controls."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.

Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.

For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.

****Zero-Day Threats and Active Risks****

One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:

CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.

Patches details (Source: Qualys)

Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.

CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full _SYSTEM_ control. Microsoft fixed this by removing the old drivers entirely.

CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.

****Critical Fixes for Office and Windows****

The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.

It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the _Preview Pane._

****Insights from Security Researchers****

In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.

The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.

It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed

A Magecart campaign is skimming card data from online checkouts tied to major payment networks, including AmEx, Diners Club, and Mastercard.

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard.

Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming.

In the early days, Magecart started as a loose coalition of threat actors targeting Magento‑based web stores. Today, the name is used more broadly to describe web-skimming operations against many e‑commerce platforms. In these attacks, criminals inject JavaScript into legitimate checkout pages to capture card data and personal details as shoppers enter them.

The campaign described by the researchers has been active since early 2022. They found a vast network of domains related to a long-running credit card skimming operation with a wide reach.

> “This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.”

Attackers typically plant web skimmers on e-commerce sites by exploiting vulnerabilities in supply chains, third-party scripts, or the sites themselves. This is why web shop owners need to stay vigilant by keeping systems up to date and monitoring their content management system (CMS).

Web skimmers usually hook into the checkout flow using JavaScript. They are designed to read form fields containing card numbers, expiry dates, card verification codes (CVC), and billing or shipping details, then send that data to the attackers.

To avoid detection, the JavaScript is heavily obfuscated to and may even trigger a self‑destruct routine to remove the skimmer from the page. This can cause investigations performed through an admin session to appear unsuspicious.

Besides other methods to stay hidden, the campaign uses bulletproof hosting for a stable environment. Bulletproof hosting refers to web hosting services designed to shield cybercriminals by deliberately ignoring abuse complaints, takedown requests, and law enforcement actions.

**How to stay safe**

Magecart campaigns affect three groups: customers, merchants, and payment providers. Because web skimmers operate inside the browser, they can bypass many traditional server‑side fraud controls.

While shoppers cannot fix compromised checkout pages themselves, they can reduce their exposure and improve their chances of spotting fraud early.

A few things you can protect against the risk of web skimmers:

*   **Use virtual or single‑use cards** for online purchases so any skimmed card number has a limited lifetime and spending scope.
*   **Where possible, turn on transaction alerts** (SMS, email, or app push) for card activity and review statements regularly to spot unsolicited charges quickly.
*   **Use strong, unique passwords** on bank and card portals so attackers cannot easily pivot from stolen card data to full account takeover.
*   **Use a web protection solution** to avoid connecting to malicious domains.

Pro tip: Malwarebytes Browser Guard is free and blocks known malicious sites and scripts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Online shoppers at risk as Magecart skimming hits major payment networks 

New York, NY, 14th January 2026, CyberNewsWire

**New York, NY, January 14th, 2026, CyberNewsWire**

**Leading secrets security platform sees accelerated adoption across Fortune 500, with 60% of new customers choosing multi-year commitments.**

GitGuardian, the leading secrets and Non-Human Identity security platform, today announced record growth in ARR and customer expansion throughout 2025, reinforcing its position as the enterprise standard for protecting code, collaboration tools, and cloud infrastructure from exposed secrets and credentials.

With 70% of its revenue coming from the US, GitGuardian’s momentum in North America continued to accelerate in 2025, **as the region accounted for over 80% of new ARR**.

**Enterprise Trust & Adoption**

GitGuardian’s momentum was driven by deep adoption among global enterprise customers, including:

*   Deutsche Telekom
*   BASF
*   A leading enterprise cloud platform provider with 25,000+ employees globally headquartered in the USA
*   A major technology-enabled mobility and delivery platform with 30,000+ employees worldwide headquartered in the USA
*   A global pharmaceutical and biotechnology company with 90,000+ employees, headquartered in Europe
*   A major enterprise software vendor with 110,000+ employees
*   Leading financial services cooperative with 55,000+ employees in North America

Demonstrating confidence in GitGuardian’s long-term value, +**60% of new enterprise customers signed multi-year agreements** in 2025.

**Platform Scale & Coverage**

GitGuardian’s Secrets Security platform now protects:

*   **More than 115K developers** across enterprise customers globally.
*   **More than 610K enterprises’ repositories** continuously monitored for exposed secrets.
*   **More than 210K connected collaboration tool sources**, including Slack, Jira, Confluence, and major cloud platforms, this is 7 times 2024 number.
*   More than **16M free users’** **repositories,** 40% more than in 2024.

The platform detected and helped enterprises remediate 350K **new potential secret exposures** in 2025 alone, preventing security incidents before they could impact customers. It also remediated 5x more secrets than in 2024.

**Strong Global & Sector Growth**

The company strengthened its leadership in **Technology & Telecommunications, its core and most mature market**, while achieving **deep adoption across highly regulated industries** including Financial Services, Healthcare, and Insurance, where stringent security and compliance requirements drive platform value.

GitGuardian’s customer base also reflects strong industry diversification, spanning **Energy, Manufacturing, Media, Retail, and Professional Services sectors**.

**Customer Success & Retention**

GitGuardian maintained **industry-leading customer retention**, with customers expanding their use of the platform’s capabilities, including:

*   Digital Ocean
*   Orange

> “GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively.” Ari Kalfus Senior Manager, Product Security at DigitalOcean

> “At the scale of a large enterprise, we wanted to ensure our secrets management approach would meet regulatory standards well ahead of future requirements” Grégory Maitrallain, Solution Architect at Orange Business

**Looking Ahead**

> “Enterprise security teams are recognizing that secrets sprawl across their entire development ecosystem—from code repositories to collaboration tools to AI coding assistants,” said Eric Fourrier, CEO at GitGuardian. “Our customers are not just buying a point solution, but investing in a comprehensive Non-Human Identity security platform that scales with their business, which is why we’re seeing such strong multi-year commitment.”

**About GitGuardian**

GitGuardian is an end-to-end NHI Security platform that empowers software-driven organizations to secure their Non-Human Identities (NHIs) and comply with industry standards. With attackers increasingly targeting NHIs, such as service accounts and applications, GitGuardian integrates Secrets Security and NHI Governance. This dual approach enables the detection of compromised secrets across your dev environments while also managing non-human identities and their secrets’ lifecycles. The platform is the world’s most installed GitHub application and supports over 550+ types of secrets, offers public monitoring for leaked data, and deploys honeytokens for added defense. Trusted by over 600,000 developers, GitGuardian is the choice of leading organizations like Snowflake, ING, BASF, and Bouygues Telecom for robust secrets protection.

**Contact**

**Sr. Partner**  
**Holly Hagerman**  
**Connect Marketing**  
**\[email protected\]**

GitGuardian Closes 2025 with Strong Enterprise Momentum, Protecting Millions of Developers Worldwide

Attackers use legitimate open-source software as cover, relying on user trust to compromise systems. We dive into an example.

It starts with a simple search.

You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding.

You install the software, launch it, and everything works exactly as expected.

What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer.

That’s exactly what we observed in a campaign using the fake domain **rustdesk\[.\]work**.

**The bait: a near-perfect impersonation**

We identified a malicious website at **rustdesk\[.\]work** impersonating the legitimate RustDesk project, which is hosted at **rustdesk.com**. The fake site closely mirrors the real one, complete with multilingual content and prominent warnings claiming (ironically) that rustdesk\[.\]work is the _only_ _official domain_.

This campaign doesn’t exploit software vulnerabilities or rely on advanced hacking techniques. It succeeds entirely through deception. When a website looks legitimate and the software behaves normally, most users never suspect anything is wrong.

**What happens when you run the installer**

The installer performs a deliberate bait-and-switch:

1.  It installs **real RustDesk**, fully functional and unmodified
2.  It quietly installs **a hidden backdoor**, a malware framework known as **Winos4.0**

The user sees RustDesk launch normally. Everything appears to work. Meanwhile, the backdoor quietly establishes a connection to the attacker’s server.

By bundling malware with working software, attackers remove the most obvious red flag: broken or missing functionality. From the user’s point of view, nothing feels wrong.

**Inside the infection chain**

The malware executes through a staged process, with each step designed to evade detection and establish persistence:

**Stage 1: The trojanized installer**

The downloaded file (rustdesk-1.4.4-x86_64.exe) acts as both **dropper and decoy**. It writes two files to disk:

*   The legitimate RustDesk installer, which is executed to maintain cover
*   logger.exe, the Winos4.0 payload

The malware hides in plain sight. While the user watches RustDesk install normally, the malicious payload is quietly staged in the background.

**Stage 2: Loader execution**

The logger.exe file is a loader — its job is to set up the environment for the main implant. During execution, it:

*   Creates a new process
*   Allocates executable memory
*   Transitions execution to a new runtime identity: Libserver.exe

This loader-to-implant handoff is a common technique in sophisticated malware to separate the initial dropper from the persistent backdoor.

By changing its process name, the malware makes forensic analysis harder. Defenders looking for “logger.exe” won’t find a running process with that name.

**Stage 3: In-memory module deployment**

The Libserver.exe process unpacks the actual Winos4.0 framework entirely in memory. Several WinosStager DLL modules—and a large ~128 MB payload—are loaded without being written to disk as standalone files.

Traditional antivirus tools focus on scanning files on disk (file-based detection). By keeping its functional components in memory only, the malware significantly reduces the effectiveness of file-based detection. This is why behavioral analysis and memory scanning are critical for detecting threats like Winos4.0.

The secondary payload is identified as **Winos4.0 (WinosStager)**: a sophisticated remote access framework that has been observed in multiple campaigns, particularly targeting users in Asia.

Once active, it allows attackers to:

*   Monitor victim activity and capture screenshots
*   Log keystrokes and steal credentials
*   Download and execute additional malware
*   Maintain persistent access even after system reboots

This isn’t simple malware—it’s a full-featured attack framework. Once installed, attackers have a foothold they can use to conduct espionage, steal data, or deploy ransomware at a time of their choosing.

**Technical detail: How the malware hides**

The malware employs several techniques to avoid detection:

**What it does**

**How it achieves this**

**Why it matters**

**Runs entirely in memory**

Loads executable code without writing files

Evades file-based detection

**Detects analysis environments**

Checks available system memory and looks for debugging tools

Prevents security researchers from analyzing its behavior

**Checks system language**

Queries locale settings via the Windows registry

May be used to target (or avoid) specific geographic regions

**Clears browser history**

Invokes system APIs to delete browsing data

Removes evidence of how the victim found the malicious site

**Hides configuration in the registry**

Stores encrypted data in unusual registry paths

Hides configuration from casual inspection

****Command-and-control activity****

Shortly after installation, the malware connects to an attacker-controlled server:

*   **IP:** 207.56.13\[.\]76
*   **Port:** 5666/TCP

This connection allows attackers to send commands to the infected machine and receive stolen data in return. Network analysis confirmed sustained two-way communication consistent with an established command-and-control session.

****How the malware blends into normal traffic****

The malware is particularly clever in how it disguises its network activity:

**Destination**

**Purpose**

207.56.13\[.\]76:5666

**Malicious:** Command-and-control server

209.250.254.15:21115-21116

**Legitimate:** RustDesk relay traffic

api.rustdesk.com:443

**Legitimate:** RustDesk API

Because the victim installed real RustDesk, the malware’s network traffic is mixed with legitimate remote desktop traffic. This makes it much harder for network security tools to identify the malicious connections: the infected computer looks like it’s just running RustDesk.

**What this campaign reveals**

This attack demonstrates a troubling trend: legitimate software used as camouflage for malware.

The attackers didn’t need to find a zero-day vulnerability or craft a sophisticated exploit. They simply:

1.  Registered a convincing domain name
2.  Cloned a legitimate website
3.  Bundled real software with their malware
4.  Let the victim do the rest

This approach works because it exploits human trust rather than technical weaknesses. When software behaves exactly as expected, users have no reason to suspect compromise.

**Indicators of compromise****File hashes (SHA256)**

File

SHA256

Classification

Trojanized installer

330016ab17f2b03c7bc0e10482f7cb70d44a46f03ea327cd6dfe50f772e6af30

Malicious

logger.exe / Libserver.exe

5d308205e3817adcfdda849ec669fa75970ba8ffc7ca643bf44aa55c2085cb86

Winos4.0 loader

RustDesk binary

c612fd5a91b2d83dd9761f1979543ce05f6fa1941de3e00e40f6c7cdb3d4a6a0

Legitimate

**Network indicators**

**Malicious domain:** rustdesk\[.\]work

**C2 server:** 207.56.13\[.\]76:5666/TCP

**In-memory payloads**

During execution, the malware unpacks several additional components directly into memory:

**SHA256**

**Size**

**Type**

a71bb5cf751d7df158567d7d44356a9c66b684f2f9c788ed32dadcdefd9c917a

107 KB

WinosStager DLL

900161e74c4dbab37328ca380edb651dc3e120cfca6168d38f5f53adffd469f6

351 KB

WinosStager DLL

770261423c9b0e913cb08e5f903b360c6c8fd6d70afdf911066bc8da67174e43

362 KB

WinosStager DLL

1354bd633b0f73229f8f8e33d67bab909fc919072c8b6d46eee74dc2d637fd31

104 KB

WinosStager DLL

412b10c7bb86adaacc46fe567aede149d7c835ebd3bcab2ed4a160901db622c7

~128 MB

In-memory payload

00781822b3d3798bcbec378dfbd22dc304b6099484839fe9a193ab2ed8852292

307 KB

In-memory payload

**How to protect yourself**

The rustdesk\[.\]work campaign shows how attackers can gain access without exploits, warnings, or broken software. By hiding behind trusted open-source tools, this attack achieved persistence and cover while giving victims no reason to suspect compromise.

The takeaway is simple: _software behaving normally does not mean it’s safe._ Modern threats are designed to blend in, making layered defenses and behavioral detection essential.

**For individuals:**

*   **Always verify download sources.** Before downloading software, check that the domain matches the official project. For RustDesk, the legitimate site is rustdesk.com—not rustdesk.work or similar variants.
*   **Be suspicious of search results.** Attackers use SEO poisoning to push malicious sites to the top of search results. When possible, navigate directly to official websites rather than clicking search links.
*   **Use security software.** Malwarebytes Premium Security detects malware families like Winos4.0, even when bundled with legitimate software.

**For businesses:**

*   **Monitor for unusual network connections.** Outbound traffic on port 5666/TCP, or connections to unfamiliar IP addresses from systems running remote desktop software, should be investigated.
*   **Implement application allowlisting.** Restrict which applications can run in your environment to prevent unauthorized software execution.
*   **Educate users about typosquatting.** Training programs should include examples of fake websites and how to verify legitimate download sources.
*   **Block known malicious infrastructure.** Add the IOCs listed above to your security tools.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Passionate about antivirus solutions, Stefan has been involved in malware testing and AV product QA from an early age. As part of the Malwarebytes team, Stefan is dedicated to protecting customers and ensuring their security.

 How real software downloads can hide remote backdoors 

Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Wednesday, January 14, 2026 06:00

Cisco Talos is kicking off the new year with a behind-the-scenes look at incident response through the eyes of Terryn Valikodath, Senior Incident Response Consultant at Talos. In this episode, Amy sits down with Terryn to explore the realities of a job that blends technical know-how with communication skills, proactive planning, and a passion for problem-solving. Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during cyber range trainings, and the creative outlets that help him recharge.

**Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?**

Terryn Valikodath: Absolutely. I’m a Senior Incident Response Consultant, so essentially an incident responder. The unique thing about our team is that we handle both proactive and reactive work. On the proactive side, we help develop incident response plans, run tabletop exercises, threat hunts, training, and similar tasks. On the reactive side, we step in when an organization experiences a security event, investigate, and provide recommendations to get them back up and running. It’s rewarding to see both sides of the work.

**AC: On my end, I'm always amazed at all the different services Cisco Talos Incident Response provides. Is it difficult to balance them, and is there a part of the job you enjoy most?**

TV: It definitely takes some getting used to since most cybersecurity roles focus on either proactive or reactive tasks, not both. But it’s helpful, because our direct experience informs the advice we give. For example, when we develop an incident response plan, we can reference real situations we’ve handled. That builds trust with customers. My favorite aspect is running cyber range trainings — a three-day course where we teach technical folks how to handle incident response. I’m passionate about teaching, both externally and within our team. I enjoy demystifying the field and showing people that it’s about dedication and learning, not just being a specialist.

_Want to see more? Watch the_ _full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos._

Tag

#git