AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

*   An HR Agent that provisions or deprovisions accounts across IAM, SaaS apps, VPNs, and cloud platforms based on HR system updates.
*   A Change Management Agent that validates a change request, updates configuration in production systems, logs approvals in ServiceNow, and updates documentation in Confluence.
*   A Customer Support Agent that retrieves customer context from CRM, checks account status in billing systems, triggers fixes in backend services, and updates the support ticket.

To deliver value at scale, organizational AI agents are designed to serve many users and roles. They are granted broader access permissions, compared to individual users, in order to access the tools and data required to operate efficiently.

The availability of these agents has unlocked real productivity gains: faster triage, reduced manual effort, and streamlined operations. But these early wins come with a hidden cost. As AI agents become more powerful and more deeply integrated, they also become access intermediaries. Their wide permissions can obscure who is actually accessing what, and under which authority. In focusing on speed and automation, many organizations are overlooking the new access risks being introduced.

**The Access Model Behind Organizational Agents**

Organizational agents are typically designed to operate across many resources, serving multiple users, roles, and workflows through a single implementation. Rather than being tied to an individual user, these agents act as shared resources that can respond to requests, automate tasks, and orchestrate actions across systems on behalf of many users. This design makes agents easy to deploy and scalable across the organization.

To function seamlessly, agents rely on shared service accounts, API keys, or OAuth grants to authenticate with the systems they interact with. These credentials are often long-lived and centrally managed, allowing the agent to operate continuously without user involvement. To avoid friction and ensure the agent can handle a wide range of requests, permissions are frequently granted broadly, covering more systems, actions, and data than any single user would typically require.

While this approach maximizes convenience and coverage, these design choices can unintentionally create powerful access intermediaries that bypass traditional permission boundaries.

**Breaking the Traditional Access Control Model**

Organizational agents often operate with permissions far broader than those granted to individual users, enabling them to span multiple systems and workflows. When users interact with these agents, they no longer access systems directly; instead, they issue requests that the agent executes on their behalf. Those actions run under the agent's identity, not the user's. This breaks traditional access control models, where permissions are enforced at the user level. A user with limited access can indirectly trigger actions or retrieve data they would not be authorized to access directly, simply by going through the agent. Because logs and audit trails attribute activity to the agent, not the requester, this privilege escalation can occur without clear visibility, accountability, or policy enforcement.

**Organizational Agents Can Quietly Bypass Access Controls**

The risks of agent-driven privilege escalation often surface in subtle, everyday workflows rather than overt abuse. For example, a user with limited access to financial systems may interact with an organizational AI agent to "summarize customer performance." The agent, operating with broader permissions, pulls data from billing, CRM, and finance platforms, returning insights that the user would not be authorized to view directly.

In another scenario, an engineer without production access asks an AI agent to "fix a deployment issue." The agent investigates logs, modifies configuration in a production environment, and triggers a pipeline restart using its own elevated credentials. The user never touched production systems, yet production was changed on their behalf.

In both cases, no explicit policy is violated. The agent is authorized, the request appears legitimate, and existing IAM controls are technically enforced. However, access controls are effectively bypassed because authorization is evaluated at the agent level, not the user level, creating unintended and often invisible privilege escalation.

**The Limits of Traditional Access Controls in the Age of AI Agents**

Traditional security controls are built around human users and direct system access, which makes them poorly suited for agent-mediated workflows. IAM systems enforce permissions based on who the user is, but when actions are executed by an AI agent, authorization is evaluated against the agent's identity, not the requester's. As a result, user-level restrictions no longer apply. Logging and audit trails compound the problem by attributing activity to the agent's identity, masking who initiated the action and why. With agents, security teams have lost the ability to enforce least privilege, detect misuse, or reliably attribute intent, allowing privilege escalation to occur without triggering traditional controls. The lack of attribution also complicates investigations, slows incident response, and makes it difficult to determine intent or scope during a security event.

**Uncovering Privilege Escalation in Agent-Centric Access Models**

As organizational AI agents take on operational responsibilities across multiple systems, security teams need clear visibility into how agent identities map to critical assets such as sensitive data and operational systems. It's essential to understand who is using each agent and whether gaps exist between a user's permissions and the agent's broader access, creating unintended privilege escalation paths. Without this context, excessive access can remain hidden and unchallenged. Security teams must also continuously monitor changes to both user and agent permissions, as access evolves over time. This ongoing visibility is critical to identifying new escalation paths as they are silently introduced, before they can be misused or lead to security incidents.

**Securing Agents' Adoption with Wing Security**

AI agents are rapidly becoming some of the most powerful actors in the enterprise. They automate complex workflows, move across systems, and act on behalf of many users at machine speed. But that power becomes dangerous when agents are over-trusted. Broad permissions, shared usage, and limited visibility can quietly turn AI agents into privilege escalation paths and security blind spots.

Secure agent adoption requires visibility, identity awareness, and continuous monitoring. Wing provides the required visibility by continuously discovering which AI agents operate in your environment, what they can access, and how they are being used. Wing maps agent access to critical assets, correlates agent activity with user context, and detects gaps where agent permissions exceed user authorization.

With Wing, organizations can embrace AI agents confidently, unlocking AI automation and efficiency without sacrificing control, accountability, or security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

AI Agents Are Becoming Privilege Escalation Paths

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum.

The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code.

****What is Max Messenger****

Max is a cross-platform messaging and multifunction app released on March 26, 2025, by the tech company VK through its subsidiary, Communication Platform LLC. It has been heavily promoted within Russia as a “national messenger” alternative to foreign services like WhatsApp and Telegram and has seen growth in registered users, reportedly reaching millions across Russia and neighboring countries.

The service provides messaging, voice, and video calls, file sharing, and is intended to integrate digital identity and service features for government and commerce. In many cases, devices sold in Russia and Belarus have been required to ship with Max pre-installed under government policy.

Max is positioned as more than a simple chat app, aiming to combine messaging with state services and additional tools, similar to China’s WeChat model. Critics and independent analysts have previously raised concerns about privacy and the potential for state access to metadata and user information, given Max’s structural integration with the Russian government’s digital infrastructure

****Details of the breach claim****

In the DarkForums post, CamelliaBtw claims to have exfiltrated the entire production database, estimating the total compressed data size at 142 GB. The hacker states that the stolen data includes:

*   **Approximately 15.4 million user records containing full names, usernames, and verified phone numbers.**
*   **Active authentication tokens capable of bypassing two-factor authentication.**
*   **Bcrypt hashed passwords.**
*   **Complete communication metadata, including timestamps and sender and receiver identifiers, dating back to the platform’s launch.**
*   **Internal infrastructure assets such as SSH keys, API documentation, and Amazon S3 bucket configurations.**
*   **Unencrypted media files stored in cloud storage.**
*   **Backend source code, including what the attacker claims are hardcoded backdoors inside the platform’s encryption module**.

The post alleges that access was achieved through a previously unknown remote code execution vulnerability in Max Messenger’s media processing engine. According to the attacker, the flaw could be triggered by injecting a malformed payload into sticker pack metadata, allowing persistent backend access. The hacker claims the vulnerability existed since the beta phase in early 2025 and was never patched.

****Extortion threat****

The post includes a direct ultimatum to Max Messenger’s developers. CamelliaBtw claims the company has already been notified privately, but has not responded. The attacker states they have verified accounts belonging to politicians and corporate executives who joined the platform during its early growth period.

If a financial settlement described as a “bug bounty” is not negotiated within 24 hours, the hacker threatens to release the first 5 GB of raw SQL database files across more than ten public torrent trackers.

CamelliaBtw’s post on DarkForums (Image credit: Hackread.com)

****No confirmation yet****

As of publication, Max Messenger has not issued a public statement confirming or denying the breach. No sample data has yet been released publicly to independently verify the claims. Cybersecurity experts note that while some breach announcements on underground forums are exaggerated, the level of technical detail provided in this post suggests the claims warrant serious scrutiny.

If confirmed, the incident would represent one of the most severe messaging platform breaches in recent years, with long term implications for user privacy, account security, and trust in encrypted communication services.

Hacker Claims Full Breach of Russia’s Max Messenger, Threatens Public Leak

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.

"Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code," Trellix said in a report shared with The Hacker News. "This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses."

The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

Targets of the malicious activity include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors like oil and gas and import and export, with lures written in Arabic, Spanish, Portuguese, Farsi, and English, suggesting the attacks are restricted to a specific region.

The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it's susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The "ahost.exe" executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken's Desktop application.

An analysis of the artifact on VirusTotal reveals that it's distributed under dozens of names, including, but not limited to, "RFQ\_NO\_04958\_LG2049 pdf.exe," "PO-069709-MQ02959-Order-S103509.exe," "23RDJANUARY OVERDUE.INV.PDF.exe," "sales contract po-00423-025\_pdf.exe," and "Fatura da DHL.exe," indication the use of invoice and request for quote (RFQ) themes to trick users into opening it.

"This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken's ahost.exe to bypass security defenses," Trellix said. "By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft."

The disclosure comes as Trellix also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials. This works by creating a fake pop-up within the victim's legitimate browser window using an iframe element, making it virtually impossible to differentiate between a genuine and bogus login page.

"The attack often starts with a phishing email, which may be disguised as a communication from a law firm," researcher Mark Joseph Marti said. "This email typically contains a fake legal notice regarding an infringing video and includes a hyperlink disguised as a Facebook login link."

As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that instructs victims to sign in to their Facebook account. This, in turn, triggers a pop-up window that employs the BitB method to display a fake login screen designed to harvest their credentials.

Other variants of the social engineering campaign leverage phishing emails claiming copyright violations, unusual login alerts, impending account shutdowns due to suspicious activity, or potential security exploits. These messages are designed to induce a false sense of urgency and lead victims to pages hosted on Netlify or Vercel to capture their credentials. There is evidence to suggest that the phishing attacks may have been ongoing since July 2025.

"By creating a custom-built, fake login pop-up window within the victim's browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually," Trellix said. "The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages."

The findings coincide with the discovery of a multi-stage phishing campaign that exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links pointing to ZIP archives containing an internet shortcut (URL) file. Details of the campaign were first documented by Forcepoint X-Labs in February 2025.

"The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server," Trend Micro said. "These scripts facilitated the download of batch files and further payloads, ensuring a seamless and persistent infection routine."

A standout aspect of the attack is the abuse of living-off-the-land (LotL) techniques that employ Windows Script Host, PowerShell, and native utilities, as well as Cloudflare's free-tier infrastructure to host the WebDAV server and evade detection.

The scripts staged on TryCloudflare domains are engineered to install a Python environment, establish persistence via Windows startup folder scripts, and inject the AsyncRAT shellcode into an "explorer.exe" process. In tandem, a decoy PDF is displayed to the victim as a distraction mechanism and misleads them into thinking that a legitimate document was accessed.

"The AsyncRAT campaign analyzed in this report demonstrates the increasing sophistication of threat actors in abusing legitimate services and open-source tools to evade detection and establish persistent remote access," Trend Micro said. "By utilizing Python-based scripts and abusing Cloudflare's free-tier infrastructure for hosting malicious payloads, the attackers successfully masked their activities under trusted domains, bypassing traditional security controls."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.

Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.

For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.

****Zero-Day Threats and Active Risks****

One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:

CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.

Patches details (Source: Qualys)

Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.

CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full _SYSTEM_ control. Microsoft fixed this by removing the old drivers entirely.

CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.

****Critical Fixes for Office and Windows****

The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.

It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the _Preview Pane._

****Insights from Security Researchers****

In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.

The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.

It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed

A Magecart campaign is skimming card data from online checkouts tied to major payment networks, including AmEx, Diners Club, and Mastercard.

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard.

Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming.

In the early days, Magecart started as a loose coalition of threat actors targeting Magento‑based web stores. Today, the name is used more broadly to describe web-skimming operations against many e‑commerce platforms. In these attacks, criminals inject JavaScript into legitimate checkout pages to capture card data and personal details as shoppers enter them.

The campaign described by the researchers has been active since early 2022. They found a vast network of domains related to a long-running credit card skimming operation with a wide reach.

> “This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.”

Attackers typically plant web skimmers on e-commerce sites by exploiting vulnerabilities in supply chains, third-party scripts, or the sites themselves. This is why web shop owners need to stay vigilant by keeping systems up to date and monitoring their content management system (CMS).

Web skimmers usually hook into the checkout flow using JavaScript. They are designed to read form fields containing card numbers, expiry dates, card verification codes (CVC), and billing or shipping details, then send that data to the attackers.

To avoid detection, the JavaScript is heavily obfuscated to and may even trigger a self‑destruct routine to remove the skimmer from the page. This can cause investigations performed through an admin session to appear unsuspicious.

Besides other methods to stay hidden, the campaign uses bulletproof hosting for a stable environment. Bulletproof hosting refers to web hosting services designed to shield cybercriminals by deliberately ignoring abuse complaints, takedown requests, and law enforcement actions.

**How to stay safe**

Magecart campaigns affect three groups: customers, merchants, and payment providers. Because web skimmers operate inside the browser, they can bypass many traditional server‑side fraud controls.

While shoppers cannot fix compromised checkout pages themselves, they can reduce their exposure and improve their chances of spotting fraud early.

A few things you can protect against the risk of web skimmers:

*   **Use virtual or single‑use cards** for online purchases so any skimmed card number has a limited lifetime and spending scope.
*   **Where possible, turn on transaction alerts** (SMS, email, or app push) for card activity and review statements regularly to spot unsolicited charges quickly.
*   **Use strong, unique passwords** on bank and card portals so attackers cannot easily pivot from stolen card data to full account takeover.
*   **Use a web protection solution** to avoid connecting to malicious domains.

Pro tip: Malwarebytes Browser Guard is free and blocks known malicious sites and scripts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Online shoppers at risk as Magecart skimming hits major payment networks 

New York, NY, 14th January 2026, CyberNewsWire

**New York, NY, January 14th, 2026, CyberNewsWire**

**Leading secrets security platform sees accelerated adoption across Fortune 500, with 60% of new customers choosing multi-year commitments.**

GitGuardian, the leading secrets and Non-Human Identity security platform, today announced record growth in ARR and customer expansion throughout 2025, reinforcing its position as the enterprise standard for protecting code, collaboration tools, and cloud infrastructure from exposed secrets and credentials.

With 70% of its revenue coming from the US, GitGuardian’s momentum in North America continued to accelerate in 2025, **as the region accounted for over 80% of new ARR**.

**Enterprise Trust & Adoption**

GitGuardian’s momentum was driven by deep adoption among global enterprise customers, including:

*   Deutsche Telekom
*   BASF
*   A leading enterprise cloud platform provider with 25,000+ employees globally headquartered in the USA
*   A major technology-enabled mobility and delivery platform with 30,000+ employees worldwide headquartered in the USA
*   A global pharmaceutical and biotechnology company with 90,000+ employees, headquartered in Europe
*   A major enterprise software vendor with 110,000+ employees
*   Leading financial services cooperative with 55,000+ employees in North America

Demonstrating confidence in GitGuardian’s long-term value, +**60% of new enterprise customers signed multi-year agreements** in 2025.

**Platform Scale & Coverage**

GitGuardian’s Secrets Security platform now protects:

*   **More than 115K developers** across enterprise customers globally.
*   **More than 610K enterprises’ repositories** continuously monitored for exposed secrets.
*   **More than 210K connected collaboration tool sources**, including Slack, Jira, Confluence, and major cloud platforms, this is 7 times 2024 number.
*   More than **16M free users’** **repositories,** 40% more than in 2024.

The platform detected and helped enterprises remediate 350K **new potential secret exposures** in 2025 alone, preventing security incidents before they could impact customers. It also remediated 5x more secrets than in 2024.

**Strong Global & Sector Growth**

The company strengthened its leadership in **Technology & Telecommunications, its core and most mature market**, while achieving **deep adoption across highly regulated industries** including Financial Services, Healthcare, and Insurance, where stringent security and compliance requirements drive platform value.

GitGuardian’s customer base also reflects strong industry diversification, spanning **Energy, Manufacturing, Media, Retail, and Professional Services sectors**.

**Customer Success & Retention**

GitGuardian maintained **industry-leading customer retention**, with customers expanding their use of the platform’s capabilities, including:

*   Digital Ocean
*   Orange

> “GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively.” Ari Kalfus Senior Manager, Product Security at DigitalOcean

> “At the scale of a large enterprise, we wanted to ensure our secrets management approach would meet regulatory standards well ahead of future requirements” Grégory Maitrallain, Solution Architect at Orange Business

**Looking Ahead**

> “Enterprise security teams are recognizing that secrets sprawl across their entire development ecosystem—from code repositories to collaboration tools to AI coding assistants,” said Eric Fourrier, CEO at GitGuardian. “Our customers are not just buying a point solution, but investing in a comprehensive Non-Human Identity security platform that scales with their business, which is why we’re seeing such strong multi-year commitment.”

**About GitGuardian**

GitGuardian is an end-to-end NHI Security platform that empowers software-driven organizations to secure their Non-Human Identities (NHIs) and comply with industry standards. With attackers increasingly targeting NHIs, such as service accounts and applications, GitGuardian integrates Secrets Security and NHI Governance. This dual approach enables the detection of compromised secrets across your dev environments while also managing non-human identities and their secrets’ lifecycles. The platform is the world’s most installed GitHub application and supports over 550+ types of secrets, offers public monitoring for leaked data, and deploys honeytokens for added defense. Trusted by over 600,000 developers, GitGuardian is the choice of leading organizations like Snowflake, ING, BASF, and Bouygues Telecom for robust secrets protection.

**Contact**

**Sr. Partner**  
**Holly Hagerman**  
**Connect Marketing**  
**\[email protected\]**

GitGuardian Closes 2025 with Strong Enterprise Momentum, Protecting Millions of Developers Worldwide

Attackers use legitimate open-source software as cover, relying on user trust to compromise systems. We dive into an example.

It starts with a simple search.

You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding.

You install the software, launch it, and everything works exactly as expected.

What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer.

That’s exactly what we observed in a campaign using the fake domain **rustdesk\[.\]work**.

**The bait: a near-perfect impersonation**

We identified a malicious website at **rustdesk\[.\]work** impersonating the legitimate RustDesk project, which is hosted at **rustdesk.com**. The fake site closely mirrors the real one, complete with multilingual content and prominent warnings claiming (ironically) that rustdesk\[.\]work is the _only_ _official domain_.

This campaign doesn’t exploit software vulnerabilities or rely on advanced hacking techniques. It succeeds entirely through deception. When a website looks legitimate and the software behaves normally, most users never suspect anything is wrong.

**What happens when you run the installer**

The installer performs a deliberate bait-and-switch:

1.  It installs **real RustDesk**, fully functional and unmodified
2.  It quietly installs **a hidden backdoor**, a malware framework known as **Winos4.0**

The user sees RustDesk launch normally. Everything appears to work. Meanwhile, the backdoor quietly establishes a connection to the attacker’s server.

By bundling malware with working software, attackers remove the most obvious red flag: broken or missing functionality. From the user’s point of view, nothing feels wrong.

**Inside the infection chain**

The malware executes through a staged process, with each step designed to evade detection and establish persistence:

**Stage 1: The trojanized installer**

The downloaded file (rustdesk-1.4.4-x86_64.exe) acts as both **dropper and decoy**. It writes two files to disk:

*   The legitimate RustDesk installer, which is executed to maintain cover
*   logger.exe, the Winos4.0 payload

The malware hides in plain sight. While the user watches RustDesk install normally, the malicious payload is quietly staged in the background.

**Stage 2: Loader execution**

The logger.exe file is a loader — its job is to set up the environment for the main implant. During execution, it:

*   Creates a new process
*   Allocates executable memory
*   Transitions execution to a new runtime identity: Libserver.exe

This loader-to-implant handoff is a common technique in sophisticated malware to separate the initial dropper from the persistent backdoor.

By changing its process name, the malware makes forensic analysis harder. Defenders looking for “logger.exe” won’t find a running process with that name.

**Stage 3: In-memory module deployment**

The Libserver.exe process unpacks the actual Winos4.0 framework entirely in memory. Several WinosStager DLL modules—and a large ~128 MB payload—are loaded without being written to disk as standalone files.

Traditional antivirus tools focus on scanning files on disk (file-based detection). By keeping its functional components in memory only, the malware significantly reduces the effectiveness of file-based detection. This is why behavioral analysis and memory scanning are critical for detecting threats like Winos4.0.

The secondary payload is identified as **Winos4.0 (WinosStager)**: a sophisticated remote access framework that has been observed in multiple campaigns, particularly targeting users in Asia.

Once active, it allows attackers to:

*   Monitor victim activity and capture screenshots
*   Log keystrokes and steal credentials
*   Download and execute additional malware
*   Maintain persistent access even after system reboots

This isn’t simple malware—it’s a full-featured attack framework. Once installed, attackers have a foothold they can use to conduct espionage, steal data, or deploy ransomware at a time of their choosing.

**Technical detail: How the malware hides**

The malware employs several techniques to avoid detection:

**What it does**

**How it achieves this**

**Why it matters**

**Runs entirely in memory**

Loads executable code without writing files

Evades file-based detection

**Detects analysis environments**

Checks available system memory and looks for debugging tools

Prevents security researchers from analyzing its behavior

**Checks system language**

Queries locale settings via the Windows registry

May be used to target (or avoid) specific geographic regions

**Clears browser history**

Invokes system APIs to delete browsing data

Removes evidence of how the victim found the malicious site

**Hides configuration in the registry**

Stores encrypted data in unusual registry paths

Hides configuration from casual inspection

****Command-and-control activity****

Shortly after installation, the malware connects to an attacker-controlled server:

*   **IP:** 207.56.13\[.\]76
*   **Port:** 5666/TCP

This connection allows attackers to send commands to the infected machine and receive stolen data in return. Network analysis confirmed sustained two-way communication consistent with an established command-and-control session.

****How the malware blends into normal traffic****

The malware is particularly clever in how it disguises its network activity:

**Destination**

**Purpose**

207.56.13\[.\]76:5666

**Malicious:** Command-and-control server

209.250.254.15:21115-21116

**Legitimate:** RustDesk relay traffic

api.rustdesk.com:443

**Legitimate:** RustDesk API

Because the victim installed real RustDesk, the malware’s network traffic is mixed with legitimate remote desktop traffic. This makes it much harder for network security tools to identify the malicious connections: the infected computer looks like it’s just running RustDesk.

**What this campaign reveals**

This attack demonstrates a troubling trend: legitimate software used as camouflage for malware.

The attackers didn’t need to find a zero-day vulnerability or craft a sophisticated exploit. They simply:

1.  Registered a convincing domain name
2.  Cloned a legitimate website
3.  Bundled real software with their malware
4.  Let the victim do the rest

This approach works because it exploits human trust rather than technical weaknesses. When software behaves exactly as expected, users have no reason to suspect compromise.

**Indicators of compromise****File hashes (SHA256)**

File

SHA256

Classification

Trojanized installer

330016ab17f2b03c7bc0e10482f7cb70d44a46f03ea327cd6dfe50f772e6af30

Malicious

logger.exe / Libserver.exe

5d308205e3817adcfdda849ec669fa75970ba8ffc7ca643bf44aa55c2085cb86

Winos4.0 loader

RustDesk binary

c612fd5a91b2d83dd9761f1979543ce05f6fa1941de3e00e40f6c7cdb3d4a6a0

Legitimate

**Network indicators**

**Malicious domain:** rustdesk\[.\]work

**C2 server:** 207.56.13\[.\]76:5666/TCP

**In-memory payloads**

During execution, the malware unpacks several additional components directly into memory:

**SHA256**

**Size**

**Type**

a71bb5cf751d7df158567d7d44356a9c66b684f2f9c788ed32dadcdefd9c917a

107 KB

WinosStager DLL

900161e74c4dbab37328ca380edb651dc3e120cfca6168d38f5f53adffd469f6

351 KB

WinosStager DLL

770261423c9b0e913cb08e5f903b360c6c8fd6d70afdf911066bc8da67174e43

362 KB

WinosStager DLL

1354bd633b0f73229f8f8e33d67bab909fc919072c8b6d46eee74dc2d637fd31

104 KB

WinosStager DLL

412b10c7bb86adaacc46fe567aede149d7c835ebd3bcab2ed4a160901db622c7

~128 MB

In-memory payload

00781822b3d3798bcbec378dfbd22dc304b6099484839fe9a193ab2ed8852292

307 KB

In-memory payload

**How to protect yourself**

The rustdesk\[.\]work campaign shows how attackers can gain access without exploits, warnings, or broken software. By hiding behind trusted open-source tools, this attack achieved persistence and cover while giving victims no reason to suspect compromise.

The takeaway is simple: _software behaving normally does not mean it’s safe._ Modern threats are designed to blend in, making layered defenses and behavioral detection essential.

**For individuals:**

*   **Always verify download sources.** Before downloading software, check that the domain matches the official project. For RustDesk, the legitimate site is rustdesk.com—not rustdesk.work or similar variants.
*   **Be suspicious of search results.** Attackers use SEO poisoning to push malicious sites to the top of search results. When possible, navigate directly to official websites rather than clicking search links.
*   **Use security software.** Malwarebytes Premium Security detects malware families like Winos4.0, even when bundled with legitimate software.

**For businesses:**

*   **Monitor for unusual network connections.** Outbound traffic on port 5666/TCP, or connections to unfamiliar IP addresses from systems running remote desktop software, should be investigated.
*   **Implement application allowlisting.** Restrict which applications can run in your environment to prevent unauthorized software execution.
*   **Educate users about typosquatting.** Training programs should include examples of fake websites and how to verify legitimate download sources.
*   **Block known malicious infrastructure.** Add the IOCs listed above to your security tools.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Passionate about antivirus solutions, Stefan has been involved in malware testing and AV product QA from an early age. As part of the Malwarebytes team, Stefan is dedicated to protecting customers and ensuring their security.

 How real software downloads can hide remote backdoors 

Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Wednesday, January 14, 2026 06:00

Cisco Talos is kicking off the new year with a behind-the-scenes look at incident response through the eyes of Terryn Valikodath, Senior Incident Response Consultant at Talos. In this episode, Amy sits down with Terryn to explore the realities of a job that blends technical know-how with communication skills, proactive planning, and a passion for problem-solving. Terryn’s path to cybersecurity started with a fascination for criminal forensics and a knack for jailbreaking his family's tech — interests that eventually steered him toward the fast-paced world of digital investigations.

Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during cyber range trainings, and the creative outlets that help him recharge.

**Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?**

Terryn Valikodath: Absolutely. I’m a Senior Incident Response Consultant, so essentially an incident responder. The unique thing about our team is that we handle both proactive and reactive work. On the proactive side, we help develop incident response plans, run tabletop exercises, threat hunts, training, and similar tasks. On the reactive side, we step in when an organization experiences a security event, investigate, and provide recommendations to get them back up and running. It’s rewarding to see both sides of the work.

**AC: On my end, I'm always amazed at all the different services Cisco Talos Incident Response provides. Is it difficult to balance them, and is there a part of the job you enjoy most?**

TV: It definitely takes some getting used to since most cybersecurity roles focus on either proactive or reactive tasks, not both. But it’s helpful, because our direct experience informs the advice we give. For example, when we develop an incident response plan, we can reference real situations we’ve handled. That builds trust with customers. My favorite aspect is running cyber range trainings — a three-day course where we teach technical folks how to handle incident response. I’m passionate about teaching, both externally and within our team. I enjoy demystifying the field and showing people that it’s about dedication and learning, not just being a specialist.

_Want to see more? Watch the_ _full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos._

Brushstrokes and breaches with Terryn Valikodath

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. 
Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise.
Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%).

Download the

*   Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024.
*   Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise.
*   Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%).

> **Download the complete 43-page analysis →**

****TL;DR****

A critical disconnect emerges in the 2026 research: While 81% of security leaders call web attacks a top priority, only 39% have deployed solutions to stop the bleeding.

Last year's research found 51% unjustified access. This year it's 64% — and accelerating into public infrastructure.

****What is Web Exposure?****

Gartner coined 'Web Exposure Management' to describe security risks from third-party applications: analytics, marketing pixels, CDNs, and payment tools. Each connection expands your attack surface; a single vendor compromise can trigger a massive data breach by injecting code to harvest credentials or skim payments.

This risk is fueled by a governance gap, where marketing or digital teams deploy apps without IT oversight. The result is chronic misconfiguration, where over-permissioned applications are granted access to sensitive data fields they don't functionally need.

This research analyzes exactly what data these third-party apps touch and whether they have a legitimate business justification.

****Methodology****

Over 12 months (ending Nov. 2025), Reflectiz analyzed 4,700 leading websites using its proprietary Exposure Rating system. It analyzes the huge number of data points it gathers from scanning millions of websites by considering each risk factor in context, adds them together to create an overall level of risk, and expresses this as a simple grade, from A to F. Findings were supplemented by a survey of 120+ security leaders in the healthcare, finance, and retail sectors.

****The Unjustified Access Crisis****

The report highlights a growing governance gap termed "unjustified access": instances where third-party tools are granted access to sensitive data without a demonstrable business need.

Access is flagged when a third-party script meets any of these criteria:

*   **Irrelevant Function:** Reading data unnecessary for its task (e.g., a chatbot accessing payment fields).
*   **Zero-ROI Presence:** Remaining active on high-risk pages despite 90+ days of zero data transmission.
*   **Shadow Deployment:** Injection via Tag Managers without security oversight or "least privilege" scoping.
*   **Over-Permissioning:** Utilizing "Full DOM Access" to scrape entire pages rather than restricted elements.

"Organizations are granting sensitive data access by default rather than exception." This trend is most acute in Entertainment and Online Retail, where marketing pressures often override security reviews.

The study identifies specific tools driving this exposure:

*   **Google Tag Manager:** Accounts for 8% of all unjustified sensitive data access.
*   **Shopify:** 5% of unjustified access.
*   **Facebook Pixel:** In 4% of analyzed deployments, the pixel was found to be over-permissioned, capturing sensitive input fields it did not require for functional tracking.

This governance gap isn't theoretical. A recent survey of 120+ security decision-makers from healthcare, finance, and retail found that 24% of organizations rely solely on general security tools like WAF, leaving them vulnerable to the specific third-party risks this research identified. Another 34% are still evaluating dedicated solutions, meaning 58% of organizations lack proper defenses despite recognizing the threat.

****Critical Infrastructure Under Siege****

While the stats show massive spikes in Government and Education breaches, the _cause_ is financial rather than technical.

*   Government Sector: Malicious activity exploded from 2% to 12.9% .
*   Education Sector: Signs of compromised sites quadrupled to 14.3% (1 in 7 sites)
*   Insurance Sector**:** By contrast, this sector reduced malicious activity by 60%, dropping to just 1.3%.

Budget-constrained institutions are losing the supply chain battle. Private sectors with better governance budgets are stabilizing their environments.

Survey respondents confirmed this: 34% cited budget constraints as their primary obstacle, while 31% pointed to lack of manpower – a combination that hits public institutions particularly hard.

****The Awareness-Action Gap****

Security leader survey findings expose organizational dysfunction:

*   **81% call web attacks a priority** → Only 39% deployed solutions
*   **61% still evaluating or using inadequate tools** → Despite 51% → 64% unjustified access surge
*   **Top obstacles:** Budget (34%), regulation (32%), staffing (31%)

**Result:** Awareness without action creates vulnerability at scale. The 42-point gap explains why unjustified access grows 25% year-over-year.

****The Marketing Department Factor****

A key driver of this risk is the "Marketing Footprint." The research found that Marketing and Digital departments now drive 43% of all third-party risk exposure, compared to just 19% created by IT.

The report found that 47% of apps running in payment frames lack business justification. Marketing teams frequently deploy conversion tools into these sensitive environments without realizing the implications.

Security teams recognize this threat: in the practitioner survey, 20% of respondents ranked supply chain attacks and third-party script vulnerabilities among their top three concerns. Yet the organizational structure that would prevent these risks – unified oversight of third-party deployments – remains absent at most organizations.

****How a Pixel Breach Could Eclipse Polyfill.io****

With 53.2% ubiquity, the Facebook Pixel is a systemic single point of failure. The risk is not the tool, but unmanaged permissions: "Full DOM Access" and "Automatic Advanced Matching" transform marketing pixels into unintentional data scrapers.

**The Precedent:** A compromise would be 5x larger than the 2024 Polyfill.io attack, exposing data across half the major web simultaneously. Polyfill affected 100K sites over weeks; Facebook Pixel's 53.2% ubiquity means 2.5M+ sites are compromised instantly.

**The Fix:** Context-Aware Deployment. Restrict pixels to landing pages for ROI, but strictly block them from payment and credential frames where they lack business justification.

> **What about TikTok pixel and other trackers? Download the full report for more insights >>**

****Technical Indicators of Compromise****

For the first time, this research pinpoints technical signals that predict compromised sites.

Compromised sites don't always use malicious apps – they're characterized by "noisier" configurations.

**Automated Detection Criteria:**

*   **Recently Registered Domains:** Domains registered within the last 6 months appear 3.8x more often on compromised sites.
*   **External Connections:** Compromised sites connect to 2.7x more external domains (100 vs. 36).
*   **Mixed Content:** 63% of compromised sites mix HTTPS/HTTP protocols.

****Benchmarks for Security Leaders****

Among the 4,700 analyzed sites, 429 demonstrated strong security outcomes. These organizations prove that functionality and security can coexist:

*   **ticketweb.uk:** Only site meeting all 8 benchmarks (Grade A+)
*   **GitHub, PayPal, Yale University:** Meeting 7 benchmarks (Grade A)

****The 8 Security Benchmarks: Leaders vs Average****

The benchmarks below represent achievable targets based on real-world performance, not theoretical ideals. Leaders maintain ≤8 third-party apps, while average organizations struggle with 15-25. The difference isn't resources – it's governance. Here's how they compare across all eight metrics:

****Three Quick Wins To Prioritize********1\. Audit Trackers****

**Inventory every pixel/tracker:**

*   Identify the owner and business justification
*   Remove tools that can't justify data access

**Priority fixes:**

*   Facebook Pixel: Disable 'Automatic Advanced Matching' on PII pages
*   Google Tag Manager: Verify no payment page access
*   Shopify: Review app permissions

****2\. Implement Automated Monitoring****

Deploy runtime monitoring for:

*   Sensitive field access detection (cards, SSNs, credentials)
*   Real-time alerts for unauthorized collection
*   CSP violation tracking

****3\. Address the Marketing-IT Divide****

**Joint CISO + CMO review:**

*   Marketing tools in payment frames
*   Facebook Pixel scoping (use Allow/Exclusion Lists)
*   Tracker ROI vs. security risk

****Download the Full Report****

Get the complete 43-page analysis, including:

✅ **Sector-by-sector risk breakdowns**

✅ **Complete list of high-risk third-party apps**

✅ **Year-over-year trend analysis**

✅ **Security leaders best practices**

> **DOWNLOAD THE FULL REPORT HERE**

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification

A new investigation by GreyNoise reveals a massive wave of over 90,000 attacks targeting AI tools like Ollama and OpenAI. Experts warn that hackers are conducting "reconnaissance" to map out vulnerabilities in enterprise AI systems.

In a recent discovery, researchers have found that cybercriminals are turning their focus toward the systems that power modern artificial intelligence (AI). Between October 2025 and January 2026, a specialized honeypot (a trap set by security experts to catch hackers) recorded 91,403 attack sessions.

This investigation was conducted by the research firm GreyNoise, which set up fake installations of a popular AI tool called Ollama to act as bait. The research reveals that there isn’t just one group at work, but two separate campaigns are active, each trying to find a different way to exploit the growing world of AI.

****The Phone Home Trick****

The first group of attackers used a method known as Server-Side Request Forgery (SSRF). To put it simply, this is a trick where a hacker fools a company’s server into making a connection to the hacker’s own computer. Researchers noted that the attackers specifically targeted Ollama and Twilio (a popular messaging service).

By sending a “malicious registry URL,” they could force the AI server to “phone home” to their own systems. It is worth noting that this activity saw a “dramatic spike over Christmas,” with 1,688 sessions occurring in just 48 hours, according to GreyNoise’s blog post. While some of these might be security researchers or bug bounty hunters looking for rewards, the timing suggests they were pushing boundaries while IT teams were on holiday.

Campaign 1 timeline (Source: GreyNoise)

****Building a Hit List for AI Models****

The second campaign is even more concerning. Starting on December 28, 2025, two specific digital addresses (45.88.186.70 and 204.76.203.125) began a massive, methodical search of over 73 different AI endpoints. While investigating, researchers found that in just eleven days, they generated 80,469 sessions to see which AI models they could reach.

According to researchers, these were professional actors, perhaps conducting reconnaissance since they weren’t trying to break things yet. Also, they noted the actors were “building target lists” by testing models from big names like Anthropic (Claude), Meta (Llama), xAI (Grok), and DeepSeek.

> _“The attack tested both OpenAI-compatible API formats and Google Gemini formats. Every major model family appeared in the probe list: OpenAI (GPT-4o and variants), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral, Alibaba (Qwen), and xAI (Grok).”_
> 
> GreyNoise

Further probing revealed that these attackers used simple, innocent questions like “How many states are there in the United States?” just to see which models would respond.

Campaign 2 test queries (source: GreyNoise)

****How to Protect Your Systems****

To keep these systems secure, researchers at GreyNoise suggest that companies should only allow AI models to be downloaded from trusted sources. It is also important to watch out for rapid-fire requests that ask the same simple questions over and over. The scale of these attacks is massive, involving 62 source IPs across 27 countries, which is a clear sign that hackers are now mapping out their next big move.

****Expert Warnings on AI Risks****

Security teams are viewing these findings as an early warning of a much broader risk. Chris Hughes, VP of Security Strategy at Zenity, shared his perspective exclusively with Hackread.com, noting that while probing models is a concern, the immediate danger lies in how AI agents interact with company systems.

“While this marks the first public confirmation of attackers targeting AI systems, it certainly won’t be the last,” Hughes stated. He explained that the information gained from these probes will likely be used for future attacks. He warned that the greater risk appears when AI tools access enterprise systems or cloud environments without proper oversight.

“As attackers move from probing models to exploiting agents, organizations that focus only on model-centric security will be responding to incidents they never saw coming,” he added.

(Photo by Egor Komarov on Unsplash)

Tag

#git