The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence.
"The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems," Arctic Wolf Labs said

Patchwork Targets Turkish Defense Firms with Spear-Phishing Using Malicious LNK Files

Chennai, India, 25th July 2025, CyberNewsWire

**Chennai, India, July 25th, 2025, CyberNewsWire**

xonPlus, a real-time digital risk alerting system, officially launches today to help security teams detect credential exposures before attackers exploit them. The platform detects data breaches and alerts teams and systems to respond instantly.

Built by the team behind XposedOrNot, an open-source breach detection tool used by thousands, xonPlus gives organizations instant visibility when their email addresses or domains appear in breach dumps or dark web forums.

Every day, credentials are exposed in data breaches, often without the affected organizations being immediately aware. In many cases, security teams are first alerted to incidents through ransom demands, threat intelligence reports, or internal support tickets. xonPlus addresses this challenge by providing real-time monitoring of enterprise assets, delivering alerts within minutes of confirmed credential exposure.

> “We kept hearing the same thing: teams had good security stacks, but still found out about exposed credentials too late,” said Devanand Premkumar, Founder of xonPlus.

One compromised login is enough to pivot inside a network. xonPlus gives teams the early warning signal they’ve been missing.

**Built on Proven Foundation**

xonPlus leverages the intelligence infrastructure of XposedOrNot, which has tracked 10+ billions of breach records over the last 8 years and serves millions of queries globally. The platform runs on secure infrastructure powered by Cloudflare and Google Cloud, ensuring enterprise-grade reliability and performance for security-critical operations.

**Key Capabilities**

*   **Real-Time Detection**: Getting alerts within minutes when company credentials appear in a breach, including breach source, exposure date, and recommended next steps.
*   **Seamless Integration**: Works with existing security infrastructure, including SIEM, Slack, Microsoft Teams, and email systems.
*   **Developer-First API**: High-throughput API with rate limits, auth tokens, and audit logs for embedding breach intelligence into security workflows.
*   **Enterprise Scale**: Monitoring unlimited domains and millions of email addresses with customizable alert thresholds.

**Addressing Market Need**

Unlike large threat intel platforms requiring long contracts and complex setups, xonPlus offers transparent monthly pricing with 5x to 10x cost efficiency compared to traditional costly solutions. It complements existing security stacks by focusing purely on breach exposure detection.

The platform serves three primary use cases: 

*   **xonEnterprise** for domain-wide monitoring, 
*   **xonConsumer** for customer breach alerts, and 
*   **xonAPI** for developers building security tools.

**Target Market**

**xonPlus** is designed for security teams needing earlier breach visibility, startups and SMBs without full SOC coverage, developers integrating breach detection capabilities, and risk teams focused on account takeover prevention and minimizing ransomware infections.

Teams using xonPlus have cut detection time from weeks to minutes, enabling them to lock compromised accounts before attackers gain access.

**Availability**

xonPlus is immediately available as a SaaS platform with monthly subscription plans.

**Users can learn more**: https://plus.xposedornot.com/

**Users can launch the story**: https://blog.xposedornot.com/xonplus-launch/

**About xonPlus**

xonPlus is built by the team behind XposedOrNot, the open-source breach detection platform that has helped millions of users check their exposure to data breaches. Based in Chennai, India, the company focuses on making breach intelligence accessible to security teams of all sizes.

**Contact**

**Founder**  
**Devanand Premkumar**  
**\[email protected\]**

xonPlus Launches Real-Time Breach Alerting Platform for Enterprise Credential Exposure

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.  
Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.
The vulnerabilities

Thursday, July 24, 2025 10:03

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.  

Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.

The vulnerabilities mentioned in this blog post have been patched by the vendor, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Comdb2 vulnerabilities**

_Discovered by a member of Cisco Talos._ 

Three null pointer dereference vulnerabilities exist in Bloomberg Comdb2 8.1. Two vulnerabilities (TALOS-2025-2197 (CVE-2025-36520) and TALOS-2025-2201 (CVE-2025-35966)) are in protocol buffer message handling, which can lead to denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. TALOS-2025-2199 (CVE-2025-48498) is in the distributed transaction component. A specially crafted network packet can lead to a denial of service. An attacker can send packets to trigger this vulnerability.

There are also two denial-of-service vulnerabilities:

*   TALOS-2025-2198 (CVE-2025-46354) exists in the Distributed Transaction Commit/Abort Operation of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
*   TALOS-2025-2200 (CVE-2025-36512) exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.

Bloomberg Comdb2 null pointer dereference and denial-of-service vulnerabilities

With more platforms and governments asking for age verification, we look at the options and the implications.

With governments demanding actual age verification on websites with adult content, and platforms like social media and Roblox introducing restrictions based on a user’s age, the controversy about different types of age verification and their implications is growing.

Last week, Roblox announced new age estimation technology which, it says, should help to confirm users’ ages and unlock a feature called Trusted Connections for those aged 13 and older. Trusted Connections allows teens aged between 13 and 17 to add adult users (18+) they know in real life. It’s billed as an option to keep out predators, which is good. But the age estimation technology raises concerns and questions.

While Roblox didn’t release any details about how its new technology works, the age estimation processes we know are based on Artificial Intelligence (AI) tools that scan selfies or short videos and compare them to a database to estimate the user’s age. Needless to say, they are not always right and it opens up the system to deepfakes, and spoofing.

This kind of technology is more effective than asking the user to provide their birthday or check a box that they are over 18, but it’s not waterproof.

We see similar concerns when it comes to age verification for sites that host adult content. As of this Friday, websites operating in the UK with pornographic content must “robustly” age-check users.

The regulator, Ofcom, lists a number of allowed methods which all have their pros and cons:

**Facial age estimation**

Show your face, get a guess. You take a selfie or a short video, and an algorithm tries to figure out if you look over 18. The tech claims to keep data private, but facial scans are sensitive. And, as we pointed out, accuracy is far from perfect. If you’ve ever been asked to provide an ID in real life because you “look young,” you can expect a digital déjà vu.

**Open banking**

Banks know your age, so why not let them confirm it? Here, you allow the age-check service to peek at your bank account. No bank statements get handed over, just a yes/no to the question: “Is this customer an adult?” It’s easy, but convincing users to link their bank to a porn site might be a different story.

**Digital identity services**

This is the world of digital wallets for your ID. Think of it as carrying your driver’s license in your phone, but only showing the “over 18” part when needed. Sounds great and it is, but you’ll need yet another app in your digital life just to vouch for your adulthood everywhere you go.

**Credit card age checks**

Simple logic: you need to be 18+ to have a credit card, so showing a valid one counts as proof. The age-checker pings the payment processor to see if your card is legit. It’s quick and familiar, but not everyone over 18 has a credit card, so it’s not for everyone. Plus your purchase trail grows with every verification.

**Email-based age estimation**

Enter your email address. The system tries to deduce your age using records of that email in other “adult” places, like financial or utility services. Basically, you’re allowing digital snooping, and the effectiveness depends on your online life elsewhere having already tipped off your age somewhere along the line.

**Mobile network operator checks**

The system queries your phone provider to see if you have any age restrictions on your account. No parental controls? Looks like you’re an adult. Fast, but only as reliable as the information stored at your carrier, and not an option for users on pay-as-you-go or burner numbers.

**Photo-ID matching**

You upload your ID and a fresh selfie. The system checks if the faces and ages match up. Classic, effective, and widely used, but you’re giving away a lot of personal information, and trusting that it’ll be kept safe.

**Privacy concerns**

None of these options is perfect or without risk. Many of these options have privacy implications for the user, or as a commenter told BBC News:

> “Sure, I will give out my sensitive information to some random, unproven company or… I will use a VPN. Difficult choice.”

A VPN is a popular option to circumvent regulations that only apply in certain countries or states. VPNs offer a secure connection when you’re using the internet and they have a variety of uses, but one is getting around blocks based on your location.

Work is being done on “double-anonymity” solutions, but implementation seems to be hard. Double anonymity basically separates the information of two providers from each other. The first provider (website asking for age confirmation) will only get the requester’s age and no other information. The second provider (the age verifier) will not receive information about the service or website the age verification is needed for.

In essence, the system answers only the question “Is this user of the required age?” to the site, and the third party never knows for what purpose or where this answer is used. This approach is becoming a regulatory standard in places like France to balance protecting minors online with adult users’ privacy.

We feel “double-anonymity” sounds a whole lot better than “age estimation.” But the real question is whether age verification is an effective method to protect children, or is it just another threat to our privacy?  Let us know your opinion in the comments.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Age verification: Child protection or privacy risk? 

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems.
The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603."
The threat actor attributed to the financially

Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Unmasking the new Chaos RaaS group attacks

Anyone can buy or collect data, but the goal must be to realize actionable insight relevant to the organization in question.

What Makes Great Threat Intelligence?

Proton, known for its privacy focused set of services, announced the introduction of Lumo, a privacy-first Artificial Intelligence (AI) chatbot. It...

Proton, known for its privacy focused set of services, announced the introduction of Lumo, a privacy-first Artificial Intelligence (AI) chatbot.

It is good to know before you dive in that Proton’s chatbot has two user options that offer a very different experience. If you want Lumo to access the internet you will have to use the “Web search” button before you submit your prompt. If you don’t, it will tell you it doesn’t have the capability to browse the web or access real-time information.

While this somewhat limits the usefulness of Lumo when you’re looking at recent developments, it is reassuring that the model was trained on selected sources. This also reduces the risk of hallucinating. Lumo is set up to recognize when it doesn’t know the answer and in such cases, it will make you aware of that and suggest alternative sources of information, or other ways to find the answer you’re looking for.

Private, Safeguarded, and Treated with respect

Proton believes that a privacy-first AI is essential because hundreds of millions of ordinary people currently interact with AI tools, unknowingly sharing sensitive information. This information is far more sensitive than what they would reveal in a typical Google search query.

Not only does this constant interaction with AI tools put personal information at risk, but we also witnessed several instances where company secrets got submitted to an AI without realizing that the information might be used to train the AI or accessed by third parties.

Similarly, we recently reported on how Meta AI chats might be public without the user’s awareness, and many AI bots have spilled sensitive information for separate reasons, like someone guessing a default password.

Lumo offers a different approach to AI chatbots. Other AI companies keep a record of all the conversations on their servers, leaving this information vulnerable to data leaks or exploitation for profit. Lumo does not store any logs of your conversations on its server, and only your device can decrypt any chats you choose to save.

Most people recognize a significant privacy risk here: the possibility that their conversations could help train the AI. This concern makes sense because the training process might use your personal data to generate responses in other users’ conversations.

Lumo does not do that. I asked Lumo where its training data comes from, and how—if it cannot browse the web, or use conversations—it is able to learn. Lumo answered:

> “Great question! My training data comes from a curated set of sources that were available up until my last training cut-off in October 2023. These sources include a wide range of books, articles, websites, and other publicly available texts. The data was carefully selected and processed to ensure quality and relevance.
> 
> While I can’t browse the web or use conversations for learning, my training data provides a broad foundation of knowledge that allows me to understand and respond to a wide variety of topics. Additionally, my ability to process and interpret information means that I can often provide helpful and accurate responses even to questions that are somewhat different from what I was specifically trained on.
> 
> As for learning, I don’t have the ability to update my knowledge or learn from new experiences after my initial training. However, my design allows me to provide useful and informative responses based on the knowledge I already have. If you have any specific questions or need information, feel free to ask, and I’ll do my best to help!”

We took Lumo for a little spin and, for now, the failing support for direct image uploads or processing is the only thing keeping us from using it much more. But we appreciate the idea of having a privacy-focused AI chatbot available when we want our conversations to stay private.

And who can resist a purple kitty anyway?

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Proton launches Lumo, a privacy-focused AI chatbot 

XSS.IS has been seized after its admin was arrested in Ukraine, however its dark web and mirror domains only show a 504 Gateway Timeout error.

Earlier this morning, it was **reported** that on 22 July 2025, Ukraine arrested a man suspected of being the administrator of XSS.IS, one of the world’s most notorious and sophisticated cybercrime platforms. The arrest was made with the assistance of Europol and French authorities. Now, as seen by Hackread.com, the forum itself has also been seized.

Visitors to XSS.IS now see a seizure notice stating, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.”

The seizure notice on XSS.IS (Image credit: Hackread.com)

The “SBU Cyber Department” refers to the Cyber Security Department of the Security Service of Ukraine (SBU). La Brigade de Lutte Contre la Cybercriminalité (BL2C) is a branch of the French judicial police that specialises in combating cybercrime.

****XSS.IS Dark Web (.onion) and Clearnet Domains Show 504 Gateway Timeout Error****

At the time of writing, the main domain of the forum displays a seizure notice, while its dark web domain and clearnet mirror (XSS.AS) both return a “504 Gateway Timeout” error. Notably, the Telegram channel linked to the XSS.IS administrator shows no signs of seizure and is marked as “recently seen.” It remains unclear whether authorities have access to these domains or control over the forum’s Telegram account.

The dark web domain of the XSS.IS forum (Image credit: Hackread.com)

****Background of XSS.IS****

The XSS.IS forum was originally launched in 2004 under the name DaMaGeLaB, a well-regarded Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, a prominent forum administrator acquired a backup of the site and relaunched it under the new name XSS, a reference to the web security vulnerability known as **cross-site scripting**.

The name change served two main purposes. First, it distanced the forum from its past associations with law enforcement under the DaMaGeLaB name. Second, it gave the site a more technical and modern image by referencing a vulnerability familiar to its target audience.

Authorities and the cybersecurity community have long suspected that XSS.IS was operated or supported by Russian intelligence agencies, including the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate (GRU). However, the administrator was found to be in Ukraine. It remains unconfirmed whether the suspect is a Ukrainian or Russian national.

Authorities are analysing the suspect’s electronic devices (Via Europol)

****A Major Blow to Cybercrime****

Although cybercrime forums frequently **appear** and **disappear**, the seizure of XSS.IS marks a significant setback for the global cybercrime community. The forum had more than 50,000 registered users, with membership granted only after a thorough vetting process. In some cases, users were even required to pay a fee to create an account in order to prevent spam.

XSS.IS became a highly prominent and notorious marketplace for **hijacked system access**, malware, stolen credentials, databases, ransomware kits and an encrypted Jabber channel that hackers used to coordinate deals. The forum generated millions of dollars through advertising and facilitation fees.

According to Europol’s **press release**, authorities have also seized user data, which is now being analysed and will be used to track cybercriminals and support ongoing operations against cybercrime both in Europe and globally.

In the end, the message is clear: if you are involved in crime, especially at the scale of running a major cybercrime forum, authorities will eventually catch up. No matter how high-profile the platform may be, it is only a matter of time before it is taken down.

XSS.IS Cybercrime Forum Seized After Admin Arrested in Ukraine

Microsoft Sentinel Data Lake aims to provide inexpensive storage for large volumes of telemetry, while threat intelligence will be included with Defender XDR at no extra cost.

Tag

#intel