Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits.

Ransomware attacks have loomed for years as an urgent digital threat with no easy solution—especially as they have evolved to include data grab-and-leak attacks that may not even involve data-encrypting malware at all. Traditional ransomware that locks up files and systems is still rampant, though, and Google on Tuesday launched a new defense for its Google Drive for desktop apps that aims to quickly detect ransomware activity and halt cloud syncing before an infection can spread.

While antivirus scanners monitor for signs of malware across a system, the new ransomware protections in Drive for desktop are meant to act as an additional line of defense. The detection capability is built on an AI model that Google trained using millions of real victims’ files that had been encrypted with various strains of ransomware. And the feature is designed to detect and contain suspected ransomware in desktop Drive very quickly. For enterprise Google Workspace customers, the feature is an asset, protecting files of any format that are stored in Drive for desktop and allowing users to easily restore any data that is encrypted or corrupted by malware. But like other ransomware detection and data-backup features, the tool is a treatment not a cure.

“The innovative part is doing that real-time detection and quickly stopping the sync to minimize the damage. That was what our customers were telling us they really wanted,” says Jason James, a product manager for Google Workspace. “You’ve got hundreds, millions, billions of users—and so to check every file quickly and accurately and wherever the user is around the world were all challenges.”

A warning that Drive for desktop has detected ransomware and paused cloud syncing.

Courtesy of Google

Designed to work in tandem with the malware monitoring tools that Google already builds into Drive, Chrome, and Gmail, the protection was built using the expertise of Google's core antivirus software development team, James notes.

“For me, the coolest part is that we can take this AI-based way of detecting ransomware behavior and then we can pair it with protecting the user’s data so we minimize the damage,” James says. “We see it as a missing safety net.”

The feature has some straightforward limitations, though. It is only relevant at all, of course, if a business or institution uses Drive for desktop in the first place—a not insignificant caveat when so much of enterprise software is still dominated by Microsoft. Additionally, Drive for desktop is an app for Windows PCs and Macs. If ransomware is tearing through digital files that aren't stored in Drive, Google has no ability to detect the infection.

Other cloud storage platforms, including Microsoft's OneDrive and Dropbox, offer features with similarities to the new Drive for desktop ransomware protection. And while detection and response are crucial components as defenders work to deter cybercriminals and empower victims to withhold ransom payments, the benefits and limitations of each individual tool serve as a reminder that there is still no panacea for the threat of ransomware.

Google’s Latest AI Ransomware Defense Only Goes So Far

The Problem: Legacy SOCs and Endless Alert Noise
Every SOC leader knows the feeling: hundreds of alerts pouring in, dashboards lighting up like a slot machine, analysts scrambling to keep pace. The harder they try to scale people or buy new tools, the faster the chaos multiplies. The problem is not just volume; it is the model itself. Traditional SOCs start with rules, wait for alerts to fire,

****The Problem: Legacy SOCs and Endless Alert Noise****

Every SOC leader knows the feeling: hundreds of alerts pouring in, dashboards lighting up like a slot machine, analysts scrambling to keep pace. The harder they try to scale people or buy new tools, the faster the chaos multiplies. The problem is not just volume; it is the model itself. Traditional SOCs start with rules, wait for alerts to fire, and then dump raw signals on analysts. By the time someone pieces together what is really happening, the attacker has already moved on, or moved in. It is a broken loop of noise chasing noise.

****Flipping the Model: Context Over Chaos****

Instead of drowning in raw events, treat every incoming signal as a potential opening move in a bigger story. Logs from identity systems, endpoints, cloud workloads, and SIEMs do not just land in separate dashboards; they are normalized, connected, and enriched to form a coherent investigation. A brute-force login attempt on its own is easy to dismiss. But when enhanced with user history, IP reputation, and signs of lateral movement, it is no longer background noise. It becomes the first chapter of an unfolding breach.

Context is the difference between ignoring another failed login and stopping an attack in motion.

****Enabling Analysts with Story-Driven Workflows****

The goal is not to hand analysts a bigger stack of alerts, it is to give them a story that already has shape and meaning. When analysts open a case, they see how the activity fits together, what actors are involved, and what paths the threat has already taken. Instead of starting from scratch with scattered evidence, they begin with a clear picture that guides their judgment. That shift changes the nature of the job itself.

****Human-Centric AI That Enhances, Not Replaces****

This is not about replacing humans with AI. It is about giving humans the space to actually do security. When technology handles the grind of collecting, correlating, and enriching signals, analysts can focus on what they do best: interpreting meaning, thinking creatively, and applying institutional knowledge.

*   **Junior analysts** can develop investigative reasoning by studying complete cases instead of clicking through endless queues,
*   **Mid-level analysts** gain time to hunt and test new hypotheses
*   **Senior analysts** focus on attacker behavior and strategy, shaping how defenses evolve.

The work stops feeling like endless triage and starts feeling like security again.

****Measurable Results: Faster MTTR, Fewer False Positives****

The results are measurable and dramatic. False positives drop sharply. Mean time to resolution shrinks from hours to minutes. Quality and accuracy shoot up. Teams finally have the capacity to investigate the subtle, low-level signals where attackers often make their first moves.

That is what happens when SOC teams stop chasing alerts and start building context.

****Defining the Cognitive SOC****

A SOC that thrives is not the one with the most dashboards or the biggest analyst headcount. It is the one that can learn and adapt, quickly turn signals into stories, make confident decisions, and act before chaos spirals. That is the promise of a "cognitive SOC." Technology organizes the noise, and analysts deliver the answers.

****Moving from Alert Chaos to Contextual Clarity****

Conifers helps enterprises and MSSP security business leaders escape the tradeoff between effectiveness and efficiency with CognitiveSOC™, an AI SOC agent platform that scales investigations with intelligence and context. Instead of drowning analysts in noisy alerts or forcing MSSPs to sacrifice margins, Conifers blends agentic AI, advanced data science, and human oversight with an organization's own institutional knowledge to automate end-to-end, multi-tier investigations with reasoning and intent. By mapping incidents to use cases and dynamically applying the right AI techniques, CognitiveSOC produces contextual, evidence-backed outputs that align with each organization's risk profile and analyst preferences. This results in faster, higher-quality investigations and decision-making, reduced alert fatigue, and improved SOC outcomes at scale. More context, less chaos.

Visit Conifers.ai to request a demo and experience how CognitiveSOC transforms noisy alerts into contextual investigations that boost efficiency, protect margins, and strengthen security posture.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Stop Alert Chaos: Context Is the Key to Effective Incident Response

Google can create and manage passkeys from your browser, but the process is more involved than it suggests.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Google wants you to start using passkeys. Its vision is to “progress toward a passwordless future," allowing you to store passkeys in the Google Password Manager service. For websites that support the login method, Google now allows you to generate, store, and sync passkeys. The problem is actually finding a consistent way to do it.

It’s easy to change your password, but it’s not so easy to add passkeys to an account you’ve already created, much less manage them solely in your browser. Still, you can use passkeys with the Google Password Manager on supported websites; you'll just need to jump through a few hoops first.

*   **How to Set Up a Passkey for Your Google Account**
*   **How to Use Passkeys With Google Password Manager**
*   **What to Do if You Lose Your Google Passkeys**
*   **Why Passkeys Are Easier With a Password Manager**

**How to Set Up a Passkey for Your Google Account**

You can learn more about passkeys here, but in short, they're a method to confirm you are who you say you are so that you don't have to remember a long password for every app and website you log in to. You can use a passkey for your Google account, but you can also store passkeys for other websites with the Google Password Manager, which is available on Chrome or directly through Android.

To use a passkey with your Google account, go to g.co/passkeys and follow the prompts. You’ll log in to your Google account and create a passkey, either bound to your device or stored in a third-party password manager. If you aren’t using a third-party password manager, your Google passkey will be bound to the device you’re using. Apple devices sync your passkeys across other Apple devices with iCloud Keychain, but otherwise you’ll need the device you created the passkey on to log in.

Creating a passkey for your Google account is simple. What’s important is that you’re doing it on a device that supports passkeys. Here’s what you need:

*   A computer with Windows 10, macOS Ventura, ChromeOS 109, or newer; or a phone with iOS 16 or Android 9, or newer;
*   A supported browser (Chrome 109, Safari 16, Edge 109, Firefox 122, or newer).

Once you’ve made a passkey, you can manage it at myaccount.google.com. There, select **Security,** and then choose **Passkeys and Security Keys** to see the passkeys you have. You can—and likely will, if you aren’t using a third-party password manager—have multiple passkeys for different devices, even if they’re used to log in to the same account.

How Safe Are Google Passkeys?

A passkey for your Google account is generally safer than using a password. Passkeys rely on asymmetric encryption with a public-private key pair, and only you have access to your private key. Even in the event of a breach or phishing scheme, an attacker can't access your account without your private key, which never leaves your device.

A password uses symmetric encryption, and it's what you'd call a “shared secret” in the world of cybersecurity. With a password, Google needs to store an encrypted copy on its servers, opening up the potential of a breach. Further, you need to remember your password, which opens the door for phishing and social engineering attacks.

Is It Safe to Store Passkeys in Google Password Manager?

The Google Password Manager available through Chrome stores your logins locally on your device. It can sync your logins across devices, but an encrypted copy is kept locally. A file containing your encryption key is also available locally, and combining the two files with a Python script and a little know-how can expose your passwords on Windows.

Someone would need access to your device for this kind of attack, which isn't likely on a desktop, but it's worth keeping the risk in mind. If you travel often or could have your device easily lost or stolen, it's a good idea to store passkeys elsewhere, such as in a password manager.

Should I Use a Password Manager for Passkeys?

You can create and manage passkeys on Windows through Windows Hello, on macOS and iOS through iCloud Keychain, and on Android or in your browser through Google Password Manager. However, using a third-party password manager like Proton Pass or 1Password makes things a lot easier.

An external password manager allows you to sync your passkeys across devices, and they're bound to the password manager itself, rather than your device. If you have a device that's authenticated with your password manager, you can access your passkeys, too.

**How to Use Passkeys With Google Password Manager**

Google would like you to believe that saving passkeys in the Google Password Manager happens almost magically. You sign in to or sign up for an account, Google steps in and asks if you want to save a passkey, and you’re done. Google even says it can upgrade accounts stored in Google Password Manager automatically with passkeys.

The process, unfortunately, is more involved. First, you need to enable passkeys for the Google Password Manager. They're enabled by default, but to double check, open Chrome, and follow these steps:

1.  Click the three dots in the upper right corner;
2.  Hover over **Passwords and Autofill** and choose **Google Password Manager** from the menu;
3.  In the tab that opens, choose **Settings**;
4.  Ensure the **Offer to Save Passwords and Passkeys** setting is turned on.

Google via Jacob Roach

Now, we need a website that supports passkeys. There are a handful of different directories online—Hanko’s directory is the easiest, but this community directory is more comprehensive. I’ll use Best Buy for this example, which supports passkeys.

To set up a passkey with Google Password Manager, you need your credentials for the service in question already stored. For Best Buy, go to the website and log in. When the Google Password Manager prompts you, choose to save your username and password in Google Password Manager.

With that done, follow these steps on the Best Buy website:

1.  Select the drop-down for your account name, and choose **Account Settings**;
2.  Under the **Account Security** box, choose **Passkey (Face or Fingerprint Sign-In)**;
3.  Select **Create a Passkey**.

Google via Jacob Roach

Once you create a passkey, a pop-up will appear asking you to verify your identity with another device logged in to your Google account. If this is the first passkey you’re creating with Google Password Manager, you’ll also need to set up a PIN.

Every service is a bit different, but you need to initiate the passkey creation from the service you want a passkey for, not from Google Password Manager. Once the passkey is stored, you’ll see it alongside your normal login credentials in Google Password Manager.

Google via Jacob Roach

**What to Do if You Lose Your Google Passkeys**

There’s an obvious issue with passkeys, and that’s account recovery. Passkeys are tied to a particular device, so if that device is lost or stolen, you won’t be able to sign in to your account. Google, thankfully, syncs your passkeys across devices with access to your Google account, but you may still need to do some clean-up. There are two steps you need to take if you no longer have access to a device that holds your passkey.

First, you need to remove the passkey from that device. For your Google account, that’s simple enough:

1.  Go to myaccount.google.com;
2.  Select the **Security** tab from the left menu;
3.  Choose **Passkeys and Security Keys** under the **How You Sign In To Google** section;
4.  Remove the passkey you created;
5.  If you have a device-bound key, such as on an Android device, signing out of that device will remove the passkey. The link next to these devices will take you to the right page, but you can navigate to **Your Devices** in the **Security** section, as well.

Other websites that support passkeys allow you to remove them, as well. In our Best Buy example, for instance, you’ll find a **Remove All Passkeys** button in the same place you created the passkey. After that’s done, you can regenerate a passkey following the steps above on a new device you have access to. In the event you can’t access a new device, Google and other services that support passkeys have fallback options, including a recovery code or your standard password.

**Why Passkeys Are Easier With a Password Manager**

The problem with using your Google for passkey storage is, well, Google.

Apple, Microsoft, and Google have all been quick to adopt passkeys as an alternative form of authentication, and they’ve been just as quick to place restrictions on where you can and can’t save or use passkeys. It’s a mess. For instance, when you log in to iCloud, Apple says you can use a passkey but only with a device running iOS. Google automatically generated a passkey for my account when I recently switched my phone to the OnePlus 13R, and yet it doesn’t work, no matter how many QR codes I scan on a device that, supposedly, holds my Google passkey. Then there’s Windows and Microsoft. Those keys don’t even work across devices.

To avoid the platform-locked squabble of multibillion-dollar corporations, I recommend using a third-party password manager. Most of the best password managers come with passkey support, and you’ll be able to save and sync your passkeys across devices.

I use Proton Pass, but 1Password, NordPass, and others also support passkeys. You can save passkeys in Chromium-based browsers with your password manager’s extension, and both Android and iOS now allow third-party apps to store and manage passkeys.

There’s no nonsense about which devices support which passkeys, and you don’t need to tap dance around your devices just to save one. Most importantly, storing your passkeys in a password manager gives you flexibility. If you want to switch from Android to iPhone, or from macOS to Windows, or try out some new, hot browser, you can. Some services, such as Proton Pass, even allow you to share and export passkeys.

How to Use Passkeys With Google Password Manager (2025)

Apple has patched a serious vulnerability (CVE-2025-43400) in how devices handle fonts.

Apple has released important security updates to address a critical vulnerability in _FontParser_—the part of MacOS/iOS/iPadOS that processes fonts.

Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to crash or corrupt process memory, potentially leading to arbitrary code execution.

While Apple hasn’t said it’s being actively exploited, similar bugs have been used in jailbreaks and spyware attacks in the past, so it’s smart to patch it promptly.

**How to update your devices******How to update your iPhone or iPad****

For iOS and iPadOS users, you can check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

******How to update macOS on any version******

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

****How to update Apple Watch****

*   Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General > Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

****How to update Apple TV****

*   Turn on your Apple TV and make sure it’s connected to the internet.
*   Open the Settings app on Apple TV.
*   Navigate **to System > Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**Updates for your particular device**

**Name and information link**

**Available for**

iOS 26.0.1 and iPadOS 26.0.1

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

iOS 18.7.1 and iPadOS 18.7.1

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

macOS Tahoe 26.0.1

macOS Tahoe

macOS Sequoia 15.7.1

macOS Sequoia

macOS Sonoma 14.8.1

macOS Sonoma

visionOS 26.0.1

Apple Vision Pro

watchOS 26.0.2 no published CVE entries.

Apple Watch Series 6 and later

tvOS 26.0.1 no published CVE entries.

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The vulnerability tracked as CVE-2025-43400 was described as an out-of-bounds write issue in FontParser that, when exploited, could cause the processing of a maliciously crafted font to lead to unexpected app termination or corrupt process memory.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Typically, fonts are safe and standardized files used daily in countless apps and websites, but due to this vulnerability an attacker can create a specially crafted font file containing manipulated data that exploits vulnerabilities in the font processing engine of the operating system. When this malicious font is loaded by an app or system process, it can trigger memory corruption or crashes. In worst-case scenarios, this can enable attackers to execute harmful code remotely, gaining control over the device.

Given that fonts are widely used and often processed silently in the background, font vulnerabilities pose a significant risk vector for attackers aiming to compromise devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes critical font processing bug. Update now! 

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway.
From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week’s roundup gives you the biggest security moves to know. Whether you’re protecting key systems or locking down cloud apps, these are the updates you need before making your next security

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

A team of researchers found that, by not encrypting the data broadcast by Tile tags, users could be vulnerable to having their location information exposed to malicious actors.

Tile trackers, used to locate everything from lost keys to stolen pets, are used by more than 88 million people worldwide, according to Tile’s parent company, Life360. But researchers who examined the tracking technology have found design flaws that would let stalkers—or potentially the manufacturer itself—track the location of Tile users and their devices, contrary to claims the company has made about the security and privacy of its devices.

The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner. The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability.

The researchers say this would give Tile the ability to conduct “mass surveillance” on its users and potentially provide that information to law enforcement and others.

The researchers also found that Tile’s anti-stalking protection can be easily undermined if a stalker enables an anti-theft feature that Tile offers with its tags. Additionally, someone could falsely frame a Tile owner for stalking by recording the unencrypted broadcasts their Tile device makes and replaying these broadcasts in the vicinity of another Tile user, making it seem like the former is stalking the latter.

The researchers reported their findings to Tile’s parent company, Life360, last November, but they say the company stopped communicating with them in February. WIRED sent Life360 an email asking for a response to the issues raised by the researchers, but a spokesperson sent a reply that did not explicitly address the problems. The email said only that the company had “made a number of improvements” since receiving the researchers’ report, without specifying what those were.

Tile sells stand-alone tags, but its tracking technology is also embedded in laptops, headphones, smartwatches, and other products made by companies like Dell, Bose, and Fitbit. The researchers reverse engineered Tile’s protocol and Android mobile app used with the Tile Mate, the company’s most popular tracker tag. They say their findings may not apply to other models of Tile tags or the Tile technology used in products made by third parties.

**How Tile Tags Work**

Tile trackers operate similarly to tracking tags made by Apple, Google, and Samsung. But Tile’s system differs in important ways. Like the others, Tile tags are battery-powered and use Bluetooth to broadcast their location to a user’s phone. Users can slip a tag into a briefcase, luggage, or vehicle, or attach it to keys, a phone, laptop, or even a pet collar to track the location of these items.

Each Tile tag broadcasts the tag’s MAC address and a unique ID, which changes periodically. If an item paired with the tag goes missing the owner, using their Tile app, can instruct the tag to emit a sound to locate it. For items farther away, the system relies on the network of phones belonging to other Tile users. These also pick up the broadcast of any Tile device near them. And since 2021, Ring cameras, Echo devices, and Tile tags have been integrated into Amazon’s Sidewalk network, meaning Ring and Echo devices can pick up the location of Tile tags as well.

Each time these devices pick up the broadcast from a Tile tag, the location, MAC address, and unique ID of that tag get sent to a Tile server where it’s stored in a database, the researchers found. The owner of a lost tag and item can then use their Tile app to query the database for their latest location. The problem, according to the researchers, lies in how Tile has implemented this system.

Tile claims that user information transmitted across its network can’t be seen by anyone. “You are the only one with the ability to see your Tile location and your device location,” the company states in its privacy policy. But the researchers found that the MAC address and unique ID that a Tile tag broadcasts is not encrypted, allowing someone in the vicinity of a tag with a Tile app on their phone or a radio frequency antenna to intercept this information as its transmitted and track the location of the tag and associated item or its owner.

Other tag makers replace the MAC address with a rotating unique ID and only transmit the ID. By changing the ID periodically, someone recording broadcasts from a tag cannot easily link multiple broadcasts to the same tag to track the movement of that tag and associated item or owner.

But because Tile’s system transmits both the MAC address and the unique ID, and does not encrypt this transmission, someone can intercept this information. Tile’s unique ID also rotates—it changes every 15 minutes if the tag is near the owner’s phone or once in 24 hours if not—but because the MAC address is static and does not change, it can be used to track a tag regardless of the changing ID. Even if Tile chose to not transmit the MAC address, the researchers say, the way Tile generates the changing ID is not secure and can still be used to track a tag.

“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” says Kumar, who says this creates a risk of systemic surveillance for anyone whose tag is caught up in a scan.

Law enforcement could potentially use this to identify anyone in an area that has a Tile tag or Tile-enabled device. And because this location information seems likely to be stored unencrypted on Tile’s server, researchers say, Tile could also track the location of tags or share this information with any third party.

“These issues transform Tile’s infrastructure into a global tracking network,” the researchers claim in a paper they wrote about their findings.

When an Apple, Google, or Samsung tag gets detected in a scan, the report that gets sent to the company servers containing the tag’s ID and location information is end-to-end encrypted so that no one can intercept the broadcasts as they’re transmitted, and the companies themselves cannot see the location information to track the movement of the tags. Only a tag owner can see this information because a key on their phone decrypts the location data on the company’s server that is associated with their tag ID.

“They have designed their system intentionally such that they aren’t able to recover your location or the location of where your items are,” says Specter. “Because they don’t want to be in the business of knowing where all people are at all times.”

**Talking Anti-Stalking**

In a study published last year, researchers measuring the misuse of Bluetooth location trackers—including devices from Apple, Tile, Samsung, and Chipolo—found that more than 40 percent of stalking victims had been tracked with Bluetooth tags hidden in their cars, purses, or backpacks.

To address this, makers of location-tracking technology have implemented solutions to alert users when a tracking device they don’t own appears to be moving with them. But the researchers say that Tile’s implementation is flawed in ways that both undermine its effectiveness and make it susceptible to being used to track the movement of other users.

Unlike other trackers—which conduct a continuous scan for trackers in a user’s vicinity that they don’t own and automatically alert the user to the presence of these trackers—Tile’s so-called Scan and Secure system has to be manually initiated by a user through the Tile app. The scan lasts only 10 minutes, and the user has to be moving around an area while the scan is in progress to detect tags that are moving with them. Users have to also remember to re-initiate scans periodically to detect any rogue devices that might be traveling with them since their last scan.

Tile’s app performs six Bluetooth scans during the 10 minutes and extracts the MAC address and unique ID from each broadcast it detects. The app then checks these addresses against a database to determine if they are paired with the phone of the person doing the scan. Any address or ID that is not paired with their phone is designated “unknown.” The app produces a report of these tags for the person to view. It also sends a message to the Tile server with all the MAC addresses and unique IDs detected during the six scans, and the number of times they appeared.

But the researchers found that the Scan and Secure feature is undermined by another feature Tile offers for preventing theft. The researchers say this anti-theft mode is unique to Tile, and the problems it presents for Tile users may be the reason.

The aim of anti-theft is to prevent would-be thieves from running a scan using a Tile mobile application to see if there is a Tile tag paired with an item they plan to steal. But when a tag owner enables anti-theft to make their tag invisible to would-be thieves, those tags also won’t be visible to someone running a scan to determine if they are being stalked with a rogue tag. This means a stalker could hide their stalking tag by putting it in anti-theft mode. A scan will still detect the tag and send its MAC address, unique ID, and location to Tile’s servers, but the tag won’t be included in the scan results that are displayed to the user who initiated the scan, effectively making potential stalking victims blind to rogue devices that may be following them.

Kumar says other makers of location trackers avoid this by not even offering anti-theft mode for their products.

“They never say, ‘Here’s a tag that can prevent your devices from being stolen.’ They say it helps recover lost devices. Anti-theft is just not a feature,” she says. “That’s a compromise that these companies are willing to make in order to have stronger anti-stalking properties.”

The researchers also say that the anti-theft mode isn’t foolproof because a user with a modified Tile app can easily circumvent it to collect and display all MAC addresses and unique IDs recorded during a scan, regardless of whether any of those tags are using anti-theft mode.

Tile believes it solves the anti-theft abuse problem by requiring that anyone who enables anti-theft mode for their tag provide a government-issued ID and live photo of their face to Tile before anti-theft mode will be enabled. Users of this mode also have to consent to a $1 million fine if they are convicted of using Tile for stalking—though the researchers point out that it’s unclear if this is enforceable.

Tile states in its terms that the identity information users provide will be shared with law enforcement if Tile believes someone has abused the feature for stalking. But the company is inconsistent about whether law enforcement needs a warrant to get this information. In a FAQ the company says it will “work with law enforcement through a properly issued court order to identify the owner of a suspicious Tile.” But in the terms for its anti-theft mode, users agree that their “personal information can and will be shared with law enforcement at our discretion, even without a subpoena” to aid investigations of suspected stalkers.

Lastly, the researchers say someone can abuse the Scan and Secure feature to frame someone else for stalking by executing a replay attack to impersonate their Tile tag. Using a radio-frequency antenna to collect the unencrypted broadcasts from another user’s tag, an attacker can extract the MAC address and unique ID from these broadcasts, and transmit that in another location. If a user conducts an anti-stalking scan in that location, they would see this MAC address and unique ID in the scan, and this information and the location of where it was scanned would be sent to Tile’s server, making it appear as if that tag was near the person who did the scan. There is no way to determine, the researchers say, if a MAC address and unique ID was emitted by a legitimate Tile device or someone maliciously replaying that information.

The researchers say many of the problems they found could be addressed simply by Tile encrypting the broadcasts from its tags, and they don’t understand why the company apparently hasn’t followed the example of its competitors.

Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say

Singapore, Singapore, 29th September 2025, CyberNewsWire

**Singapore, Singapore, September 29th, 2025, CyberNewsWire**

*   Analyzing over 14 billion cyber-attack records daily, ThreatBook ATI is a global solution enriched with granular, local insights; and can offer organizations a truly APAC perspective.
*   Boasting low false positive rates, the solution is highly compatible with existing security stacks.
*   ThreatBook ATI provides actionable insights for threat detection and response, enabling organizations to accelerate their intelligence analysis, and make more informed decisions. 

ThreatBook, a global leader in cyber threat intelligence, detection and response, today announced the worldwide launch of ThreatBook Advanced Threat Intelligence (“ThreatBook ATI”). Spearheaded from its offices in Singapore and Hong Kong, the new service offers unique industry insights for threat intelligence platforms (TIPs), security operation centers (SOCs) and cybersecurity analysts globally.

Of note, ThreatBook ATI is able to capture new, difficult-to-detect threats emanating from within Asia, where coverage from many global vendors remains limited. It is also able to better identify Western attackers targeting Asian organizations as well. ThreatBook ATI’s capabilities are particularly timely, with 34% of cyber-attacks worldwide taking place within the Asia Pacific (APAC).

A further noteworthy feature of ThreatBook ATI are its low false positive rates. ThreatBook’s proprietary intelligence collection systems, which operate globally and in real time, employs dozens of analysis engines to deeply mine enormous raw datasets. False positives are filtered through AI-based models, followed by cross-verification by professional security analysts. ATI also applies AI to classify and label threat reports, transforming unstructured intelligence into structured insights, and features a built-in assistant that can rapidly correlate data to answer analysts’ questions. This layered process ensures the intelligence remains highly accurate and reliable. Over 14 billion attack records are identified daily, including over 80 million malicious inbound internet protocols (IPs), more than six billion malware files, over 7,000 high risk vulnerabilities, and more than 600 zero-day vulnerabilities. 

> “With several billion attack records from all corners of the world analyzed daily, ThreatBook ATI is a truly global solution enriched with granular, local insights,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook.

> “We are of the opinion that Asia Pacific-centric threat intelligence matters, as tactics, techniques, and procedures (TTPs), tooling, language, command and control (C&C) infrastructure, and targeting patterns differ by region – and ATI can offer organizations a truly APAC perspective. We have a track record of exclusive discovery when it comes to cybercriminals, including advanced persistent threat (APT) groups; and at the end of the day, local context quickens threat detection and reduces dwell time.”

Integration with existing security stacks is key. Studies repeatedly find that a single unified platform, which provides a centralized view of cyber risks across the entire organization, is a priority for cybersecurity teams around the world. ThreatBook ATI is highly compatible with existing security stacks. Its output is available in both machine-readable and human-readable formats, making integration straight-forward.

Customer access is hassle-free. For TIPs, ThreatBook ATI can be purchased through platform marketplaces, or can be integrated through feeds or application programming interfaces (APIs). For SOCs, ThreatBook ATI feeds integrate easily with security information and event management (SIEM) solutions, firewalls and other security tools. While for cybersecurity analysts, ThreatBook ATI is accessible globally via a web portal.

> “High quality threat intelligence enhances existing security tools, which often rely on vulnerable rule-based signals, making them more reliable and accurate, and leading to less false positives across the stack,” added Mr. Xue. “By providing actionable insights for threat detection and response, organizations are able to accelerate their intelligence analysis, and make more informed decisions to better manage today’s myriad of cyber risks.”

ThreatBook ATI is a timely addition to the company’s acclaimed suite of cybersecurity solutions. Since 2015, thousands of enterprise organizations globally have placed their trust in Threatbook across the entire threat lifecycle — from detection to analysis, response and protection; all powered by the company’s proprietary intelligence core.

In 2025 alone, leading analyst firms have recognized ThreatBook, featuring the company in Forrester’s Network Analysis And Visibility Solutions Landscape, Q2 2025 report, and the inaugural Gartner Magic Quadrant for Network Detection and Response (NDR). In both instances, ThreatBook was one of a limited number of vendors recognized.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, users can visit www.threatbook.io or follow them on LinkedIn.

ThreatBook ATI is not available in mainland China.

https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index

https://www.msspalert.com/native/the-strategic-shift-toward-unified-cybersecurity-platforms

**Contact**

**Belmont Communications on behalf of ThreatBook**  
**\[email protected\]**

ThreatBook Launches Best-of-Breed Advanced Threat Intelligence Solution

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).
"The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called **PlugX** (aka Korplug or SOGU).

"The new variant's features overlap with both the **RainyDay** and **Turian** backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.

The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.

PlugX is a modular remote access trojan (RAT) widely used by many China-aligned hacking groups, but most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon).

Turian (aka Quarian or Whitebird), on the other hand, is assessed to be a backdoor exclusively employed in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with ties to China referred to as BackdoorDiplomacy (aka CloudComputating or Faking Dragon).

The victimology patterns – particularly the focus on telecommunications companies – and technical malware implementation had yielded evidence suggesting likely connections between Lotus Panda and BackdoorDiplomacy, raising the possibility that either the two clusters are one and the same, or that they are obtaining their tools from a common vendor.

In one incident detected by the company, Naikon is said to have targeted a telecom firm in Kazakhstan, a country that shares its borders with Uzbekistan, which has been previously singled out by BackdoorDiplomacy. What's more, both hacking crews have been found to zero in on South Asian countries.

The attack chains essentially involve abusing a legitimate executable associated with Mobile Popup Application to sideload a malicious DLL that's then used to decrypt and launch PlugX, RainyDay, and Turian payloads in memory. Recent attack waves orchestrated by the threat actor have heavily leaned on PlugX, which uses the same configuration structure as RainyDay and includes an embedded keylogger plugin.

"While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects – such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor," Talos said. "These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign."

**Mustang Panda's Bookworm Malware Detailed**

The disclosure comes as Palo Alto Networks Unit 42 sheds light on the inner workings of the Bookworm malware used by the Mustang Panda actor since 2015 to gain extensive control over compromised systems. The advanced RAT comes fitted with capabilities to execute arbitrary commands, upload/download files, exfiltrate data, and establish persistent access.

Earlier this March, the cybersecurity vendor said it identified attacks targeting countries affiliated with the Association of Southeast Asian Nations (ASEAN) to distribute the malware.

Bookworm utilizes legitimate-looking domains or compromised infrastructure for C2 purposes so as to blend in with normal network traffic. Select variants of the malware have also been found to share overlaps with TONESHELL, a known backdoor associated with Mustang Pana since late 2022.

Like PlugX and TONESHELL, attack chains distributing Bookworm rely on DLL side-loading for payload execution, although newer variants have embraced a technique that involves packaging shellcode as universally unique identifier (UUID) strings, which are then decoded and executed.

"Bookworm is known for its unique modular architecture, allowing its core functionality to be expanded by loading additional modules directly from its command-and-control (C2) server," Unit 42 researcher Kyle Wilhoit said. "This modularity makes static analysis more challenging, as the Leader module relies on other DLLs to provide specific functionality."

"This deployment and adaptation of Bookworm, running in parallel with other Stately Taurus operations, showcases its long-term role in the actor's arsenal. It also points to a sustained, long-term commitment to its development and use by the group."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks

Companies are going to great lengths to protect the infrastructure that provides the backbone of the world’s digital services—by burying their data deep underground.

Inside the Nuclear Bunkers, Mines, and Mountains Being Retrofitted as Data Centers

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

In the wake of Charlie Kirk’s killing, the Republican policy apparatus went immediately to work. The Heritage Foundation, which published Project 2025, and its spinoff, the Oversight Project, issued a call for the Federal Bureau of Investigation to designate “Transgender Ideology-Inspired Violent Extremism,” or TIVE, as a domestic terrorism threat category. The push comes as President Donald Trump just signed an executive order that seeks to mobilize federal law enforcement against vaguely defined domestic terror networks.

The Heritage Foundation and Oversight Project document, which defines “transgender ideology” as “a belief that wholly or partially rejects fundamental science about human sex being biologically determined before birth, binary, and immutable," grounds its policy recommendations in a startling claim: “Experts estimate that 50% of all major (non-gang related) school shootings since 2015 have involved or likely involved transgender ideology.”

When WIRED asked for the data behind this claim, the Oversight Project did not respond; the Heritage Foundation pointed to a tweet from one of its vice presidents, Roger Severino, claiming that “50% of major (non-gang) school shootings since 2015” involve a transgender shooter or trans-related motive. Severino also lays out what appears to be his entire dataset: eight shootings, four of which, he claims, involve “a trans-identifying shooter and/or a likely trans-ideology related motivation.”

The data tell a different story.

Since 2015, at least four dozen shootings have taken place on school grounds, according to data from the K-12 School Shooting Database, which has tracked every incident involving a gun on school grounds since 1966. Only three perpetrators in the database—the 2019 shooter at STEM School Highlands Ranch in Colorado and the Covenant School shooter in Nashville in 2023 among them—have been credibly identified in public reporting as transgender or undergoing gender-affirming care. Nashville police concluded the shooter there was not motivated by a clear political or ideological agenda, but prioritized notoriety and infamy. In Colorado, investigators say one of the shooters, a transgender boy, cited bullying and long-standing mental health struggles as motivations.

In an August shooting, a 23-year-old individual opened fire outside Annunciation Catholic Church in Minneapolis. The shooter had legally changed their name and written about conflict over gender identity, but there is no public evidence they consistently identified as transgender, making classification uncertain. Police say the attack was fueled by hostility toward Jews, Christians, and minorities, along with a quest for notoriety. Prosecutors added the animus was sweeping, saying the shooter “expressed hate towards almost every group imaginable.”

The K-12 database, the most comprehensive of its kind, does not include gender data for about 12.5 percent of school shooters since 2015, which only makes it more difficult to draw firm conclusions about broader patterns.

Other mass shootings at schools, including Parkland in 2018 and Uvalde in 2022, were carried out by young men with histories of grievance, misogyny, or violent ideation. None were tied to “transgender ideology.”

The larger pattern, researchers say, points in the opposite direction: White supremacist, anti-government, and misogynist beliefs account for the lion’s share of ideologically motivated gun violence. Targeting “transgender ideology” as a terrorism category, they warn, confuses identity with ideology, risks licensing violence against anyone who defies gender norms, and shifts attention away from the real drivers of schoolyard violence.

“There are no legitimate studies that suggest that a majority of school shootings since 2015 involve trangender people,” said Rachel Carroll Rivas and R. G. Cravens of the Southern Poverty Law Center’s Intelligence Project in an email. “Trans people are far more likely to be victimized by gun violence than to perpetrate it.”

The FBI defines a “mass shooting” as an incident in which four or more victims are killed by gunfire, not including the shooter or shooters. However, other less restrictive definitions are more widely accepted. The Gun Violence Archive, which has tracked gun violence in the US since 2013, includes incidents in which four or more victims are killed or injured in its “mass shooting” definition. There is no consensus on the definition of a “major” shooting, as described by the Heritage Foundation’s Severino.

Severino did not immediately respond to a request for comment.

According to a WIRED analysis of data provided by data scientist David Riedman, creator of the K-12 School Shooting Database, there have been 48 school shootings with four or more victims—injured or killed—since the start of 2015. (Just six of those meet the FBI’s definition of a mass shooting.) Of the 48 shootings, 45 have no known connection to gang activity. Three were by shooters identified in public reporting as being or having been transgender or having undergone gender-affirming care. Six of the 48 shootings since 2015 do not list the gender of the shooter, primarily because their identity was unknown to authorities.

There have been 74 total active school shooter incidents since 2015; of those, three of the perpetrators have identified as transgender, according to Riedman’s data. Data collected by the Gun Violence Archive shows that there were 5,748 mass shootings at any location in the US between January 1, 2013, and September 15, 2025; of those, five of the shooters identified as transgender people, nonbinary, or having undergone gender-affirming care—less than 0.087 percent.

In other words, Heritage’s “50 percent” claim is not just unsupported, it appears misleading by design, arbitrary in scope, and unscientific at its core.

“A methodology that limits the pool of potential observations in this way suggests researchers have a predetermined outcome in mind,” Cravens and Carroll Rivas say. “It's a method that suggests the researchers are committing an error called selecting on the dependent variable—choosing a sample that ensures the study will produce the desired outcome. In combination with the use of ‘trans ideology,’ this suggests that the desired outcome is the further scapegoating and demonization of transgender people.”

Heritage reaches its 50 percent figure by shrinking the universe of school shootings to a hand-picked few. Severino first rules out incidents rooted in crime, personal disputes, or workplace grievances. He then defines “major” school shootings as those he says are intended to “send a public message.” Applying those filters, Heritage crops down decades’ worth of incidents into fewer than 10 cases—a sample small enough that even a few shooters with one or two shared traits can be made to look like half. Broader databases, which count school shootings by more consistent criteria, show dozens of incidents each year and make clear that Heritage’s figures rest on a frame built to exaggerate, not measure—to reflect a narrative, not reality.

The Heritage Foundation did not respond to questions about the discrepancies between Severino’s conclusions and those of other researchers.

Experts say Heritage's push not only distorts the data but also diverts attention from the extremist movements actually driving violence: nihilistic violent extremist networks, accelerationist neo-fascist movements, and lone actors motivated by any number of far-right culture war grievances. Jonathan Lewis, a researcher at George Washington University’s Program on Extremism, tells WIRED: “There is no academic publication I am aware of which has found any causal relationship between an individual’s gender identity and their radicalization or mobilization, nor which establishes any basis for such an argument.”

“Any definitional framework that only includes eight of the hundreds of school shootings in the last decade,” he adds, “is certainly of questionable analytic value.”

Civil rights advocates see the proposal and Trump’s executive order as working hand in hand—moves that redefine political opposition as extremism and open the door to targeting marginalized communities. “Today we saw this administration’s latest attempt to divide, scare, and intimidate those who work to advance freedom and equality,” says Kelley Robinson, president of the Human Rights Campaign. She called the effort to label opponents as extremists “dangerous, unconstitutional, and un-American,” and part of a broader escalation by the administration to turn people’s identity into suspicious characteristics and grounds for targeting.

The timing is also notable, as federal resources for countering domestic terrorism are being steadily cut back.

The FBI has consistently diverted resources away from domestic terrorism investigations this year, pulling staff from specialized units and discounting tools long used to track extremist cases. By May, agents in field offices had been ordered to devote at least a third of their time to immigration enforcement instead, moving national security specialists into work far outside the bureau’s traditional role. Some counterterrorism agents were abruptly recalled to their posts after a US strike on Iranian nuclear facilities—a reversal that only underscored the chaos created by constant shifts in priorities.

The administration previously gutted tens of millions of dollars from federal terrorism-prevention grants at the same time, shuttering key programs at the Department of Homeland Security’s Center for Prevention Programs and Partnerships. Senator Dick Durbin, the ranking member of the Senate Judiciary Committee, called it a “broad institutional pullback” from investigating domestic terrorism, even as, he noted, “experts continue to warn about intensifying danger.”

Other experts say the retreat amounts to abandoning the fight against homegrown extremism altogether—at one of the worst possible moments.

The Heritage Foundation, whose Project 2025 policy recommendations have been widely adopted by the Trump administration, is urging the FBI to create the “TIVE” terrorism designation amid increasingly fervent anti-trans propaganda from right-wing groups.

A super PAC associated with the American Principles Project, a socially conservative group often aligned with Heritage on cultural and transgender policy, has rolled out aggressive campaign ads this week targeting, for example, US representative Mikie Sherrill, a Democrat of New Jersey, over her support for transgender rights. The spot portrays Sherrill’s positions, and trans people, in lurid, grotesque terms—a hallmark of APP’s approach in recent years as it seeks to turn transgender issues into a wedge in congressional races.

The group, led by Terry Schilling, has made opposition to trans rights central to its political strategy, running provocative ads in multiple states with the aim of stirring backlash among voters who reject transgender people’s right to exist. It did not immediately respond to a request for comment.

Tag

#mac