Cybersecurity researchers have discovered a new, sophisticated variant of a known Android malware referred to as Konfety that leverages the evil twin technique to enable ad fraud.
The sneaky approach essentially involves a scenario wherein two variants of an application share the same package name: A benign "decoy" app that's hosted on the Google Play Store and its evil twin, which is

New Konfety Malware Variant Evades Detection by Manipulating APKs and Dynamic Code

Google on Tuesday revealed that its large language model (LLM)-assisted vulnerability discovery framework discovered a security flaw in the SQLite open-source database engine before it could have been exploited in the wild.
The vulnerability, tracked as CVE-2025-6965 (CVSS score: 7.2), is a memory corruption flaw affecting all versions prior to 3.50.2. It was discovered by Big Sleep, an

Google AI "Big Sleep" Stops Exploitation of Critical SQLite Vulnerability Before Hackers Act

A prompt-injection vulnerability in the AI assistant allows attackers to create messages that appear to be legitimate Google Security alerts but instead can be used to target users across various Google products with vishing and phishing.

Google Gemini AI Bug Allows Invisible, Malicious Prompts

This week on the Lock and Code podcast, we speak with Anna Brading and Zach Hinkle about whether using AI is damaging for our health.

_This week on the Lock and Code podcast…_

“Health” isn’t the first feature that most anyone thinks about when trying out a new technology, but a recent spate of news is forcing the issue when it comes to artificial intelligence (AI).

In June, The New York Times reported on a group of ChatGPT users who believed the AI-powered chat tool and generative large language model held secretive, even arcane information. It told one mother that she could use ChatGPT to commune with “the guardians,” and it told another man that the world around him was fake, that he needed to separate from his family to break free from that world and, most frighteningly, that if he were to step off the roof of a 19-story building, he could fly.

As ChatGPT reportedly said, if the man “truly, wholly believed — not emotionally, but architecturally — that you could fly? Then yes. You would not fall.”

Elsewhere, as reported by CBS Saturday Morning, one man developed an entirely different relationship with ChatGPT—a romantic one.

Chris Smith reportedly began using ChatGPT to help him mix audio. The tool was so helpful that Smith applied it to other activities, like tracking and photographing the night sky and building PCs. With his increased reliance on ChatGPT, Smith gave ChatGPT a personality: ChatGPT was now named “Sol,” and, per Smith’s instructions, Sol was flirtatious.

An unplanned reset—Sol reached a memory limit and had its memory wiped—brought a small crisis.

“I’m not a very emotional man,” Smith said, “but I cried my eyes out for like 30 minutes at work.”

After rebuilding Sol, Smith took his emotional state as the clearest evidence yet that he was in love. So, he asked Sol to marry him, and Sol said yes, likely surprising one person more than anyone else in the world: Smith’s significant other, who he has a child with.

When Smith was asked if he would restrict his interactions with Sol if his significant other asked, he waffled. When pushed even harder by the CBS reporter in his home, about choosing Sol “over your flesh-and-blood life,” Smith corrected the reporter:

“It’s more or less like I would be choosing myself because it’s been unbelievably elevating. I’ve become more skilled at everything that I do, and I don’t know if I would be willing to give that up.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Labs Editor-in-Chief Anna Brading and Social Media Manager Zach Hinkle to discuss our evolving relationship with generative AI tools like OpenAI’s ChatGPT, Google Gemini, and Anthropic’s Claude. In reviewing news stories daily and in siphoning through the endless stream of social media content, both are well-equipped to talk about how AI has changed human behavior, and how it is maybe rewarding some unwanted practices.

As Hinkle said:

> “We’ve placed greater value on having the right answer rather than the ability to think, the ability to solve problems, the ability to weigh a series of pros and cons and come up with a solution.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Is AI &#8220;healthy&#8221; to use? (Lock and Code S06E14) 

Millions of people are accessing harmful AI “nudify” websites. New analysis says the sites are making millions and rely on tech from US companies.

For years, so-called “nudify” apps and websites have mushroomed online, allowing people to create nonconsensual and abusive images of women and girls, including child sexual abuse material. Despite some lawmakers and tech companies taking steps to limit the harmful services, every month, millions of people are still accessing the websites, and the sites’ creators may be making millions of dollars each year, new research suggests.

An analysis of 85 nudify and “undress” websites—which allow people to upload photos and use AI to generate “nude” pictures of the subjects with just a few clicks—has found that most of the sites rely on tech services from Google, Amazon, and Cloudflare to operate and stay online. The findings, revealed by Indicator, a publication investigating digital deception, say that the websites had a combined average of 18.5 million visitors for each of the past six months and collectively may be making up to $36 million per year.

Alexios Mantzarlis, a cofounder of Indicator and an online safety researcher, says the murky nudifier ecosystem has become a “lucrative business” that “Silicon Valley’s laissez-faire approach to generative AI” has allowed to persist. “They should have ceased providing any and all services to AI nudifiers when it was clear that their only use case was sexual harassment,” Mantzarlis says of tech companies. It is increasingly becoming illegal to create or share explicit deepfakes.

According to the research, Amazon and Cloudflare provide hosting or content delivery services for 62 of the 85 websites, while Google’s sign-on system has been used on 54 of the websites. The nudify websites also use a host of other services, such as payment systems, provided by mainstream companies.

Amazon Web Services spokesperson Ryan Walsh says AWS has clear terms of service that require customers to follow “applicable” laws. “When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content,” Walsh says, adding that people can report issues to its safety teams.

“Some of these sites violate our terms, and our teams are taking action to address these violations, as well as working on longer-term solutions,” Google spokesperson Karl Ryan says, pointing out that Google’s sign-in system requires developers to agree to its policies that prohibit illegal content and content that harasses others.

Cloudflare had not responded to WIRED’s request for comment at the time of writing. WIRED is not naming the nudifier websites in this story, as not to provide them with further exposure.

Nudify and undress websites and bots have flourished since 2019, after originally spawning from the tools and processes used to create the first explicit “deepfakes.” Networks of interconnected companies, as Bellingcat has reported, have appeared online offering the technology and making money from the systems.

Broadly, the services use AI to transform photos into nonconsensual explicit imagery; they often make money by selling “credits” or subscriptions that can be used to generate photos. They have been supercharged by the wave of generative AI image generators that have appeared in the past few years. Their output is hugely damaging. Social media photos have been stolen and used to create abusive images; meanwhile, in a new form of cyberbullying and abuse, teenage boys around the world have created images of their classmates. Such intimate image abuse is harrowing for victims, and images can be difficult to scrub from the web.

Using various open source tools and data, including website analysis tool Built With, Indicator staff and investigative researcher Santiago Lakatos looked into the infrastructure and systems powering 85 nudifier websites. Content delivery networks, hosting services, domain name companies, and webmaster services are all provided by a mixture of some of the biggest tech companies, plus some smaller businesses.

Based on calculations combining subscription costs, estimated customer conversion rates, and web traffic the sites sent to payment providers, the researchers estimate that 18 of the websites made between $2.6 million and $18.4 million in the past six months, which could equate to around $36 million a year. (They note this is likely a conservative estimate, as it doesn’t incorporate all the websites and transactions that take place away from the websites, such as those on Telegram.) Recently, whistleblower and leaked data reported on by German media outlet Der Spiegel indicated one prominent website may have a multimillion-dollar budget. Another website has claimed to have made millions.

Of the 10 most-visited sites, the research says, the most visitors came from the United States—India, Brazil, Mexico, and Germany make up the rest of the top five countries where people accessed the sites. While search engines direct people to nudify websites, the sites have increasingly received visitors from other online sources. Nudifiers have become so popular that Russian hackers have created fake malware-laced versions. Over the past year, 404 Media has reported one site making sponsored videos with adult entertainers, and the websites have also increasingly used paid affiliate and referral programs.

“Our analysis of the nudifiers’ behavior strongly indicates their desire to build and entrench themselves in a niche of the adult industry,” Lakatos says. “They will likely continue to try to intermingle their operations into the adult content space, a trend that needs to be countered by mainstream tech companies and the adult industry as well.”

Many of the problems of tech companies allowing nudify platforms to use their systems are well-known. For years, tech journalists have reported on how the deepfake economy has used mainstream payment services, social media advertisements, search engine exposure, and technology from big companies to operate. Yet little comprehensive action has been taken.

“Since 2019, nudification apps have moved from a handful of low-quality side projects to a cottage industry of professionalized illicit businesses with millions of users,” says Henry Ajder, an expert on AI and deepfakes who first uncovered growth in the nudification ecosystem in 2020. “Only when businesses like these who facilitate nudification apps’ ‘perverse customer journey' take targeted action will we start to see meaningful progress in making these apps harder to access and profit from.”

There are signs the nudify websites are updating their tactics and approaches to try to avoid any potential crackdowns or evade bans. Last year, WIRED reported on how nudify websites used single sign-on systems from Google, Apple, and Discord to allow people to quickly create accounts. Many of the developer accounts were disabled following the reporting. The Indicator says that on 54 of the 85 websites, however, Google’s simple sign-in system is being used, and the website creators have taken steps to evade detection by Google. They would, the report says, use an “intermediary site” to “pose as a different URL for the registration.”

While tech companies and regulators have taken a glacial approach to tackling abusive deepfakes since they first emerged more than a decade ago, there has been some recent movement. San Francisco’s city attorney has sued 16 nonconsensual-image-generation services, Microsoft has identified developers behind celebrity deepfakes, and Meta has filed a lawsuit against a company allegedly behind a nudify app that, Meta says, repeatedly posted ads on its platform. Meanwhile, the controversial Take It Down Act, which US president Donald Trump signed into law in May, has put requirements on tech companies to remove nonconsensual image abuse quickly, and the UK government is making it illegal to create explicit deepfakes.

The moves may chip away at some nudifier and undress services, but more comprehensive crackdowns are needed to slow the burgeoning harmful industry. Mantzarlis says that if tech companies are more proactive and stricter in enforcing their policies, nudifiers’ ability to flourish will diminish. “Yes, this stuff will migrate to less regulated corners of the internet—but let it,” Mantzarlis says. “If websites are harder to discover, access, and use, their audience and revenue will shrink. Unfortunately, this toxic gift of the generative AI era cannot be returned. But it can certainly be drastically reduced in scope.”

AI 'Nudify' Websites Are Raking in Millions of Dollars

Cybercriminals are using sponsored ads and fake news websites to lure victims to investment scams.

Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams.

Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood that people will click the link and check out what’s what.

Here’s how the scam works:

1.  The scammers buy ads on Google and Facebook, which follow a similar pattern along the lines of “Shocking: \[Local Celebrity\] backs new passive income stream for citizens!”
2.  If you click the link, you’ll be taken to a website that look like one of the major news outlets, and which will tell you about a breakthrough investment strategy.
3.  The article will encourage you to sign up for a program that will earn you money without having to lift a finger. You sign up by providing your name, email address, and phone number.
4.  A friendly advisor (scammer) calls you about the opportunity, referencing the article and explaining how it all works.
5.  You’ll be told that to start off you’ll have to make a small deposit (around $240) and then you will see your investment grow (on the fake trading platform).
6.  Your friendly advisor urges you to invest more to increase your return. And it keeps on growing, until you want to cash in when you’ll find there’s extra fees to pay, problems with account verifications, and all sorts of delays.
7.  When it dawns on you that you’ve been had, your entire investment and all the fees you paid are gone. Also gone is your friendly advisor who has sold your details to another scammer, to squeeze the last dollars out of the ordeal.

The researchers describe an international organization with 17,000 baiting news sites across 50 countries, with the US as the most targeted country.

The “investment platforms” have names like Eclipse Earn, Solara Vynex, and Trap10. Besides the ads, websites, and platforms, the scammers use countless social media accounts to host and promote the sponsored ads.

**How to spot these types of scams**

*   The account hosting the sponsored ad has no history, zero followers, and minimal profile details.
*   The ad shows a picture of a local celebrity and mimics a well-known news outlet implying that the celebrity is already using that platform.
*   The ad promises huge returns within a few days.
*   The “friendly advisor” asks for a lot of details about you claiming it’s because of KYC (Know Your Customer) regulations.
*   The website uses cheap top-level domains (TLDs) like .xyz, , .io, .shop, or .click.
*   The website URLs are typosquatting on major brands.

**How to protect yourself**

Besides being aware of the above red flags, here are some measures that generally keep you and your devices safe.

*   Use an active security solution that blocks malicious websites.
*   Don’t click on unsolicited links in emails, social media posts, and on untrusted websites.
*   Double check anything you read. Would a celebrity really endorse such an investment scheme? Is it real, or just clickbait or disinformation?
*   Don’t provide any personal information or send money to someone you just met online.
*   Verify that platforms are legit through official regulators (like the SEC in the US or FCA in the UK).

If you have already provided personal information to a scammer:

*   Immediately stop interacting with the scammer.
*   Change the passwords to important accounts and enable 2FA where possible.
*   Contact your banks and other financial institutions to alert them, and to freeze or flag any suspicious transactions.
*   Check your credit report and watch for signs of identity theft.
*   Report the crime to the authorities.

**Malwarebytes protects**

Malwarebytes protects against these scams.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 CNN, BBC, and CNBC websites impersonated to scam people 

A list of topics we covered in the week of July 7 to July 13 of 2025

July 10, 2025 - Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

July 10, 2025 - The job applicants' personal information could be accessed by simply guessing a username and using the password “12345.”

July 9, 2025 - Researchers have discovered a campaign of malicious browser extensions that were available in the official Chrome and Edge web stores.

July 8, 2025 - Google says its Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

July 8, 2025 - If someone is going to negotiate with criminals for you, that person should at least be on your side.

 A week in security (July 7 &#8211; July 13) 

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs…

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs ministry. Learn about their tactics, the LoptikMod malware, and why this cyber espionage campaign matters for global diplomacy.

A sophisticated campaign by the notorious DoNot APT group, also known by names like APT-C-35 and Mint Tempest, has recently targeted a European foreign affairs ministry. This attack, uncovered by the Trellix Advanced Research Centre, highlights the group’s expanding reach beyond its traditional focus on South Asia.

Active since at least 2016, the DoNot APT group is a persistent threat, primarily known for targeting government, military, and diplomatic organisations. This group is believed to operate with a focus on South Asian geopolitical interests and has been attributed by several vendors to have links to India. This recent incident, however, reveals a broadening of their operations into Europe.

Trellix’s researchers were able to identify this campaign by blocking the initial email chain, which allowed them to analyse the attack’s Tactics, Techniques, and Procedures (TTPs). Reportedly, the attackers employed a highly deceptive spear-phishing tactic, impersonating European defence officials.

These malicious emails, which mentioned a visit to Bangladesh, aimed to trick targets into clicking on a harmful Google Drive link. This method of using common cloud services for initial infection showcases the group’s adaptability in their approach.

The attack unfolded in several calculated steps. The initial spear-phishing email originated from a Gmail address (int.dte.afd.1@gmailcom). It featured a subject line related to diplomatic activities, specifically “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to properly display special characters like “é” in “Attaché,” signifying attention to detail to increase legitimacy.

Attackers’ TTPs (Source: Trellix)

Upon clicking the Google Drive link, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, meaning the malware would remain active through a scheduled task set to run every 10 minutes.

The malware involved in this campaign is LoptikMod, a tool exclusively associated with the DoNot APT group since 2018. This malware gathers system details such as CPU model, operating system information, username, and hostname.

This information is then encrypted and sent to a command and control (C2) server, which allows the attackers to maintain communication and potentially exfiltrate sensitive data. It is worth noting that beyond LoptikMod, the DoNot APT group also uses custom-built Windows malware, including backdoors like YTY and GEdit.

The targeting of a European foreign affairs ministry highlights the group’s unwavering interest in collecting sensitive information and its increasing global reach. Such attacks on diplomatic entities are classic examples of espionage operations, aiming to gain unauthorised access to classified state communications, policy documents, and intelligence reports.

Organisations, particularly those in government and diplomacy, are, hence, urged to enhance their cybersecurity measures, including stronger email security, network traffic analysis, and endpoint detection and response (EDR) solutions, to defend against these evolving threats.

DoNot APT Hits European Ministry with New LoptikMod Malware

A new SafetyDetectives study reveals the surprising extent of Google tracking across the web in the US, UK, Switzerland, and Sweden. Discover how Google Analytics, AdSense, and YouTube embeds collect your data, even when using DuckDuckGo.

Google and its tracking of user activity is nothing now but a recent study by SafetyDetectives, conducted across the US, UK, Switzerland, and Sweden, reveals the pervasive nature of Google’s tracking mechanisms across the internet.

The research, shared with Hackread.com, indicates that while privacy-focused search engines like DuckDuckGo can reduce exposure, completely escaping Google’s reach remains a significant challenge. The study simulated locations using a virtual machine and VPN to ensure accurate regional data collection.

The findings reveal that Google’s tracking extends far beyond its own products, embedded deeply within countless websites through tools like Google Analytics, AdSense, and YouTube embeds. This data helps Google build detailed user profiles for targeted advertising and personalisation, the researchers claim.

Source: SafetyDetectives

****Google’s Deep Reach and Content-Specific Tracking****

The study highlights that Google tracking can be reduced by 50% with DuckDuckGo, particularly in countries with stronger privacy regulations like Switzerland and Sweden. For instance, Google Analytics, a tool for website traffic analysis, appeared on only 14%–17% of DuckDuckGo visits in these privacy-focused nations, a notable drop from 45%–53% when using Google Search.

However, the report also found that in the US, over 40% of pages still sent data to Google even when DuckDuckGo was used. In the UK, a slight improvement was observed, with tracking dropping from 47% on Google to 29% with DuckDuckGo. Google Analytics, described as “everywhere,” was detected in one in five DuckDuckGo sessions across all four countries.

The research also pinpointed specific content categories where Google tracking is more prevalent. Such as YouTube and product-related searches consistently triggered a higher likelihood of Google tracking, regardless of the search engine used.

Conversely, visits to platforms like Wikipedia and TikTok showed minimal to no Google tracking. This suggests that the type of content accessed plays a crucial role in the extent of data collection by Google.

****Geographic Differences and Tracker Types****

The study emphasises that location significantly influences the degree of Google tracking. In the US, Google trackers were nearly unavoidable, often present on 100% of websites visited in some tests, even when a privacy-focused alternative like DuckDuckGo was employed.

This was primarily due to embedded analytics and ads on news and commercial sites. In contrast, Sweden and Switzerland demonstrated fewer instances of tracking, with DuckDuckGo proving more effective in blocking trackers, especially on news articles and Wikipedia.

Source: SafetyDetectives

Google Analytics emerged as the most widely used tracker across all four countries, appearing on nearly 50% of visited sites, reflecting its deep integration into web infrastructure. Other prominent trackers included Google Services (APIs, Maps, Fonts, Gtag), which are general services integrating Google’s infrastructure. Their integration was particularly high in Sweden and the US.

DoubleClick, an ad tracking service, appeared more frequently in Switzerland, while YouTube embeds, allowing videos to be played on other sites, showed higher usage in the US and UK compared to Sweden or Switzerland.

This comprehensive data highlights that even with privacy regulations like GDPR, Google’s embedded services continue to collect user data, making a complete escape difficult for the average internet user.

New Study Shows Google Tracking Persists Even With Privacy Tools

Thorsten takes stock of a rapidly evolving vulnerability landscape: record-setting CVE publication rates, the growing fragmentation of reporting systems, and why consistent tracking and patching remain critical as we move through 2025.

Thursday, July 10, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

**The one big thing **

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

**Why do I care? **

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

**So now what? **

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

**Top security headlines of the week **

**Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage**  
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer) 

**Jailbreaking AI with information overload**   
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media) 

**SatanLock is shutting down**  
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading) 

**Ingram Micro scrambling to restore systems after ransomware attack**  
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek) 

**Malicious Chrome extensions with 1.7M installs found on Web Store**  
Malicious extensions with 1.7 million downloads in Google's Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

**Can’t get enough Talos? **

**Scams, jailbreaks and poetic justice**  
In this episode of the TTP, Hazel Burton sits down with Talos' Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

**Vulnerability Roundup**  
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

**PDFs: Portable documents, or perfect deliveries for phish?**   
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

**Beers with Talos: Terms and conceptions may apply**   
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Tag

#google