**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

138.0.3351.109

7/25/2025

138.0.7204.168/.169

CVE-2025-8011: Chromium: CVE-2025-8011 Type Confusion in V8

CVE-2025-8010: Chromium: CVE-2025-8010 Type Confusion in V8

Chennai, India, 25th July 2025, CyberNewsWire

**Chennai, India, July 25th, 2025, CyberNewsWire**

xonPlus, a real-time digital risk alerting system, officially launches today to help security teams detect credential exposures before attackers exploit them. The platform detects data breaches and alerts teams and systems to respond instantly.

Built by the team behind XposedOrNot, an open-source breach detection tool used by thousands, xonPlus gives organizations instant visibility when their email addresses or domains appear in breach dumps or dark web forums.

Every day, credentials are exposed in data breaches, often without the affected organizations being immediately aware. In many cases, security teams are first alerted to incidents through ransom demands, threat intelligence reports, or internal support tickets. xonPlus addresses this challenge by providing real-time monitoring of enterprise assets, delivering alerts within minutes of confirmed credential exposure.

> “We kept hearing the same thing: teams had good security stacks, but still found out about exposed credentials too late,” said Devanand Premkumar, Founder of xonPlus.

One compromised login is enough to pivot inside a network. xonPlus gives teams the early warning signal they’ve been missing.

**Built on Proven Foundation**

xonPlus leverages the intelligence infrastructure of XposedOrNot, which has tracked 10+ billions of breach records over the last 8 years and serves millions of queries globally. The platform runs on secure infrastructure powered by Cloudflare and Google Cloud, ensuring enterprise-grade reliability and performance for security-critical operations.

**Key Capabilities**

*   **Real-Time Detection**: Getting alerts within minutes when company credentials appear in a breach, including breach source, exposure date, and recommended next steps.
*   **Seamless Integration**: Works with existing security infrastructure, including SIEM, Slack, Microsoft Teams, and email systems.
*   **Developer-First API**: High-throughput API with rate limits, auth tokens, and audit logs for embedding breach intelligence into security workflows.
*   **Enterprise Scale**: Monitoring unlimited domains and millions of email addresses with customizable alert thresholds.

**Addressing Market Need**

Unlike large threat intel platforms requiring long contracts and complex setups, xonPlus offers transparent monthly pricing with 5x to 10x cost efficiency compared to traditional costly solutions. It complements existing security stacks by focusing purely on breach exposure detection.

The platform serves three primary use cases: 

*   **xonEnterprise** for domain-wide monitoring, 
*   **xonConsumer** for customer breach alerts, and 
*   **xonAPI** for developers building security tools.

**Target Market**

**xonPlus** is designed for security teams needing earlier breach visibility, startups and SMBs without full SOC coverage, developers integrating breach detection capabilities, and risk teams focused on account takeover prevention and minimizing ransomware infections.

Teams using xonPlus have cut detection time from weeks to minutes, enabling them to lock compromised accounts before attackers gain access.

**Availability**

xonPlus is immediately available as a SaaS platform with monthly subscription plans.

**Users can learn more**: https://plus.xposedornot.com/

**Users can launch the story**: https://blog.xposedornot.com/xonplus-launch/

**About xonPlus**

xonPlus is built by the team behind XposedOrNot, the open-source breach detection platform that has helped millions of users check their exposure to data breaches. Based in Chennai, India, the company focuses on making breach intelligence accessible to security teams of all sizes.

**Contact**

**Founder**  
**Devanand Premkumar**  
**\[email protected\]**

xonPlus Launches Real-Time Breach Alerting Platform for Enterprise Credential Exposure

Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered.

Thursday, July 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you’re probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto the team, but also the passions and hobbies that energize her work. Plus, she offered a sneak peek into what she’s most looking forward to at Black Hat this year! With future Humans of Talos episodes, you’ll get to learn not only about the people behind the research, but the people behind the communications, operations, and design, too.

My team chose to name the series “Humans of Talos” as a cheeky wink to the world of machine learning (ML) and a reminder that no matter how sophisticated our technology gets, it’s always our humanity that makes the difference. 

I'm a sci-fi nerd who loves a captive audience, so let’s consider Murderbot from Martha Wells’ “The Murderbot Diaries” (now a TV show starring Alexander Skarsgård). Designed as a security unit with both organic and mechanic parts, self-named Murderbot secretly hacks its own governor module and, instead of turning on humans, spends its free time watching soap operas like “The Rise and Fall of Sanctuary Moon." So relatable, right? What draws readers in isn’t its technical specs. It’s Murderbot’s dry humor, awkwardness, struggle with newfound autonomy, and the way it wrestles with what it means to care for others (even if it pretends not to). Despite its past, when it was treated as a piece of equipment rather than a living thing, Murderbot is both highly analytical and empathetic. Advanced technology is most powerful when paired with genuine human creativity and insight, and this is a balance we seek every day at Talos.

If cozy, found family sci-fi is more your vibe, take Lovey (aka Sidra) from Becky Chambers’ “A Long Way to a Small, Angry Planet” and “A Closed and Common Orbit.” Originally an AI managing a tunneling spaceship, Lovey is suddenly transferred into a human-like body kit and faces the challenge of living in a world she was never designed for, which is where her story really gets interesting. She has to learn everything from how to move and act to how to build friendships and find her own purpose. Learning to ask for help, make mistakes and trust the people around us is familiar to many of us in the cybersecurity community. No matter how advanced our tools become, it’s our willingness to learn from each other, collaborate and grow together that truly makes us stronger and better at our work.

So while Talos has practically always used ML in our work, I’ll always say that it is nothing without the humans behind it. We all share one mission: protecting our customers.

Tune into the next episode mid-August, and whether you’re streaming “Sanctuary Moon” or finding your place in the universe like Lovey, stay safe and secure out there!

**The one big thing **

Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) group called Chaos, which is actively targeting organizations worldwide with sophisticated attacks involving phishing, remote management tool abuse, and double extortion tactics.  

We assess with moderate confidence that Chaos was likely formed by former members of the BlackSuit (Royal) gang. They use advanced encryption, anti-analysis techniques, and target both local and networked systems for maximum disruption. We believe the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, and the group uses the same name to create confusion.   

**Why do I care? **

Chaos is going after organizations of all sizes across verticals using techniques that can bypass common security measures, steal sensitive data and disrupt business operations. Even if you’re not a direct target, your company could be affected if you work with a business that is attacked, or if similar tactics are used against your sector.

**So now what? **

Review your organization’s security posture, especially around email, remote access and backup systems. Make sure you’re using multi-factor authentication, keeping software up-to-date and educating employees about phishing and social engineering.

**Top security headlines of the week **

**Microsoft rushes emergency patch for actively exploited SharePoint “ToolShell” bug**   
Malicious actors already have already pounced on the zero-day vulnerability in Microsoft Sharepoint Server, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks. (DarkReading) (Cisco Talos) 

**Europol sting leaves Russian cybercrime's “NoName057(16)” group fractured**   
National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia. (DarkReading) 

**Indian crypto exchange CoinDCX confirms $44M stolen during hack**   
On Saturday, CoinDCX co-founder and CEO Sumit Gupta disclosed in a post on X that an internal account was compromised during the hack. The executive assured that the incident did not affect customer funds and that all its customer assets remain secure. (TechCrunch) 

**Ryuk ransomware operator extradited to US, faces five years in federal prison**   
Justice Department officials said the operators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies. (CyberScoop)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**SnortML in 60 seconds**   
Most detection engines rely on signatures, but when threats evolve or the exploit is brand new, these rules can fall short. **Enter SnortML!** 

**Humans of Talos: Hazel Burton**   
Okay, I know I hammered this into you in the intro, but Hazel is a delight to listen to, and she gives a lot of wonderful insights. **Watch here.**

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 
*   BlueTeamCon (Sept. 4 – 7) Chicago, IL

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection

**SHA 256: ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c**   
MD5: 17e33efb1b100397c3a9908df7032da1   
VirusTotal: https://www.virustotal.com/gui/file/ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c/details    
Typical Filename: tacticalrmm.exe   
Claimed Product: N/A   
Detection Name: W32.EE33AAA05B-95.SBX.TG

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**   
MD5: 7854b00a94921b108f0aed00f77c7833   
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details    
Typical Filename: winword.exe   
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote   
Detection Name: W32.0581BD9F0E.in12.Talos

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details   
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

BRB, pausing for a "Sanctuary Moon" marathon

KrebsOnSecurity recently heard from a reader whose boss's email account got phished and was used to trick one of the company's customers into sending a large payment to scammers. An investigation into the attacker's infrastructure points to a long-running Nigerian cybercrime group that is actively targeting established companies in the transportation and aviation industries.

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

Image: Shutterstock, Mr. Teerapon Tiuekhom.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — **roomservice801@gmail.com** — is tied to many such phishing domains. Indeed, a search on this email address at **DomainTools.com** finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware\[.\]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

**JUSTY JOHN**

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for **alhhomaidhicentre\[.\]biz** reference the technical contact of “**Justy John**” and the email address **justyjohn50@yahoo.com**.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain **axisupdate\[.\]net** — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate\[.\]com, acctlogin\[.\]biz, and loginaccount\[.\]biz, all of which at one point included the email address **rsmith60646@gmail.com**.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala\[.\]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address **michsmith59@gmail.com**.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain **seltrock\[.\]com**, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address **sebastinekelly69@gmail.com**, including **26i3\[.\]net**, **costamere\[.\]com**, **danagruop\[.\]us**, and **dividrilling\[.\]com**. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by **Palo Alto Networks**‘ **Unit 42** research team.

**SILVERTERRIER**

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “**SilverTerrier**” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “**business e-mail compromise**” or **BEC** scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by **Interpol**. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s **Internet Crime Complaint Center** (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with _nearly $2.8 billion in claimed losses_. In its 2025 Fraud and Control Survey Report, the **Association for Financial Professionals** found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

**FINANCIAL FRAUD KILL CHAIN**

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “**financial fraud kill chain**” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

Image: ic3.gov.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.

Phishers Target Aviation Execs to Scam Customers

Lower rates for creating unique passwords, buying items from known websites, and using protection software leave iPhone users at risk to online scams.

The smartphone wars have a winner, and it’s Android.

No, this isn’t about which device has the best camera, the snappiest processor, or the flashiest AI features—this is about which device _owners_ are safer online, and in many ways, it is Android users who take the crown. According to a new analysis from Malwarebytes, when compared to iPhone users, Android users share less of their personal information for promotional deals, more frequently use security tools, and more regularly create and manage unique passwords for their many online accounts.

They also, it turns out, fall victim to fewer scams.

This is the latest investigation into research conducted earlier this year by Malwarebytes that surveyed 1,300 people over the age of 18 in the US, the UK, Austria, Germany, and Switzerland. In the original report released in June, Malwarebytes revealed how mobile scams have become a part of everyday life for most everyone across the globe—and how far too many individuals have essentially given up on trying to fight back.

Now, Malwarebytes can reveal how iPhone and Android users differ when scrolling, shopping, and sending messages online. This secondary analysis has controlled for age, meaning that, while iPhone users did tend skew younger in the original data set, the differences identified here are more directly attributed to device type.

Here are some of the key takeaways:

*   Apple users are more likely to engage in risky behavior.
    *   47% of iPhone users purchased an item from an unknown source because it offered the best price, compared to 40% of Android users.
    *   41% of iPhone users sent a Direct Message (DM) on social media to a company or seller account to get a discount or discount code, compared to 33% of Android users.
*   Apple users take fewer precautions online.
    *   21% of iPhone users said they use security software on their mobile phones, compared to 29% of Android users.
    *   35% of iPhone users choose unique passwords for their online accounts, compared to 41% of Android users.
*   Apple users are more likely to be the victims of scams.
    *   53% of iPhone users have fallen victim to a scam compared to 48% of Android users.

Importantly, the behavioral splits here are largely device agnostic.

Android users are not scanning fewer QR codes and iPhone users are not failing to make unique passwords because their respective devices are somehow incapable. Instead, iPhone users are making worse decisions about buying things online and about staying safe from all types of cyberthreats—whether that includes phishing attempts, social engineering scams, or malware infections.

The reasons for this are complex and hard to identify, but Malwarebytes’ original research can provide a clue. Namely, iPhone users were slightly more likely than Android users (55% compared to 50%) to agree with the following statement:

> “I trust the security measures on my mobile/phone to keep me safe.”

That trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know about) using additional cybersecurity measures, like antivirus.

Whatever the reasons, there is room for improvement. As explained by Mark Beare, general manager of consumer business for Malwarebytes, staying safe online today cannot rely on any single platform, device, or operating system.

“Devices and operating systems are just gateways to apps and websites, and it’s often those online spaces that present cyber risks,” Beare said. “When those websites or apps serve malicious or deceptive content, it’s up to the user to decide what’s real, what’s a scam, and where they should or shouldn’t click.”

Here is where iPhone users should most pay attention when using the internet.

It’s getting harder to shop safely online.

For years, the cybersecurity industry warned people about the most obvious red flags when making a purchase or offering a donation online: Don’t click on unknown links, don’t share personal information, don’t send messages directly to strangers, and don’t scan QR codes that can lead to unknown locations. Behind all of these could lie malware, data theft, and even the slow start of a social engineering scam.

And yet, in the past few years, even legitimate businesses have asked everyday consumers to do these same, reckless things. Online stores ask that people send a Direct Message (DM) on social media for a discount code, or that they sign up their email or phone number for a promotional offer, or that they complete their payment by scanning a QR code, or that they track an upcoming delivery by clicking on a link sent via text.

Just because established businesses are leaning into these tactics does not make the tactics inherently safe, and unfortunately, iPhone users are pushing back the least.

According to Malwarebytes’ recent analysis, 63% of iPhone users signed up their phone number for text messages so they could get a coupon, discount, free trial, or other promotional offer, compared to the 55% of Android users who did the same. Similarly, 41% of iPhone users “sent a DM on social media to a company or seller account to get a discount or discount code,” compared to 33% of Android users.

Malwarebytes also found that 47% of iPhone users “purchased an item from an unknown website or supplier because it offered the best price,” compared to 40% of Android users.

In looking at the data, however, it is important to recognize that some of the behavior from iPhone users has been thrust upon them.

For example, 70% of iPhone users have “scanned a QR code to begin or complete a purchase.” Beginning in 2020, scanning a QR code became commonplace as restaurants across the world implemented several strategies to limit the spread of COVID-19. This practice isn’t the fault of iPhone users (or the 63% of Android users who have done the same), and they shouldn’t be “blamed” for what the world asked of them.

However, sharing a phone number, sending a DM to a stranger, and buying from unknown websites are decidedly not requirements today for making an online purchase. 

As Malwarebytes discussed on the Lock and Code podcast earlier this year, “data deals” in which consumers are asked to give up some of their privacy for a one-time discount are rarely, if ever, worth the cost. Separately, the most common start to a romance scam, job scam, or investment scam is through a DM sent on social media.

Though legitimate companies have co-opted these strategies to boost engagement and revenue, the public still have an opportunity to push back. If they do not, there is a real risk that these marketing tactics become so normalized that online scammers will find it easier to send malicious messages, disguise their intentions, and steal from innocent people.

****Not so pro(active)****

Ever since a devastatingly effective commercial was unveiled to the public some 20 years ago, there’s been a persistent belief that Apple devices are somehow impervious to viruses, malware, and all other nasty cyber infections.

The marketing ploy was wrong back then and it is still wrong today—Macs get plenty of viruses—but the damage is already done, and the consequences might be most visible in how iPhone users feel about traditional cybersecurity tools: In short, they don’t use them.

According to Malwarebytes’ new analysis, just 21% of iPhone users said they use security software on their mobile phone, compared to 29% of Android users. iPhone users were also less likely than Android users to use an ad blocker (19% of iPhone users compared to 27% of Android users).

The data gaps here are sometimes benign. The low use of “ad blockers,” in particular, should come as no surprise. These tools are mostly understood as add-ons for desktop and laptop versions of popular web browsers—such as Google Chrome, Microsoft Edge, and Mozilla Firefox. While many mobile browsers have ad blockers built in by default, this may not be known to the average user.

Also remember that, as smartphone ownership increases across the globe, so do the numbers on smartphone “dependency.” According to Pew Research Center, 15% of adults in the US _only_ have a smartphone to connect to the internet, meaning, perhaps, that 15% of people simply cannot access the same security and privacy tools that are developed predominantly for computers.

That said, the justifications for iPhone users start to fade when looking at one last number.

Only 35% of iPhone users “choose unique and strong passwords for accounts,” compared to 41% of Android users. Creating strong, unique passwords for online accounts is foundational to staying safe online, and it has only been made easier and more accessible over time.

For users who cannot remember a unique password for every account (which is every person alive), password managers are available—some for free—to help create, store, and recall as many strong passwords as needed. For users who do not trust a third-party password manager (understandably so), Apple released its “Passwords” app on iOS 18 nearly one year ago, making password management easier by default. And for users who don’t trust password managers (of which there are many), the antiquated practice of physically writing usernames and passwords in a private journal isn’t _that_ outlandish.

In short, there is little excuse for failing to create and use unique passwords for every online account, and that goes for Android users, too. The technology can be intimidating, but it’s worth the work.

****Security for all****

The measurably unsafe behavior of some iPhone users online comes with unfortunate, measurable consequences. The poor password hygiene, risky buying behavior, and limited antivirus protection are all paired with a higher overall rate of victimization—53% of iPhone users have fallen victim to a scam compared to 48% of Android users.

In the worst circumstances, these disparate rates could invite blame, but it’s the wrong conclusion to make. As any scam victim knows, the statistical analysis of victimization means absolutely nothing when you are personally trying to recover your money, your reputation, your private photos, and your sense of trust in the world around you.

Every person, no matter their device, should create unique passwords for individual accounts, use security products (which can also detect malicious websites and phishing schemes), and rely on friends and family when something doesn’t feel right online. And for those who want 24/7 guidance on strange messages, phone numbers, and more, there is always Malwarebytes Scam Guard to lead the way. Try it today.

 iPhone vs. Android: iPhone users more reckless, less protected online 

Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.

Brave browser has announced a new privacy measure, automatically blocking Microsoft’s controversial Recall feature from taking screenshots of browsing activity. This move, implemented in version 1.81 for Windows users, aims to give users more control over their digital privacy, especially concerning their online history.

****What is Microsoft Recall?****

Microsoft Recall, first introduced in May 2024, is designed as a productivity tool for Copilot+ PCs, which are high-end, AI-enhanced computers. It works by taking periodic screenshots of a user’s screen activity and storing them in a local, searchable database. The idea is to allow users to easily ‘recall’ past actions and information using natural language queries, for instance, finding a website visited that featured specific content.

However, from its initial announcement, Recall faced significant criticism from privacy advocates and security experts. Early versions stored these screenshots in plain text, making them highly vulnerable if a system got compromised. While Microsoft has since made changes, including making Recall an opt-in feature and encrypting the data, concerns about a persistent, OS-level log of user activity remain.

****Brave’s Proactive Privacy Stance****

Brave’s Privacy Team specified that Recall contradicts the browser’s privacy-first mission. To address this, Brave has expanded upon Microsoft’s existing privacy commitment to not record private browsing sessions. Therefore, Brave now signals to the operating system that all Brave browser windows are “private,” effectively preventing Recall from capturing any screenshots from them by default.

Block Microsoft Recall toggle in Brave (Source: brave.com)

This approach ensures user browsing activity does not “accidentally end up in a persistent database,” which the Brave Privacy Team highlighted as particularly sensitive in cases like intimate partner violence. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository.

While inspired by similar screenshot-blocking efforts from messaging platforms like Signal, Brave’s method is designed to avoid interfering with other legitimate functions, such as accessibility tools or regular screenshots. Users who wish to allow Recall to capture their Brave Browser can manually adjust a setting within brave://settings/privacy.

****Ongoing Changes and User Control****

This step comes as Microsoft is enhancing Recall, a feature currently in preview, with its final release form for all Windows 11 users remaining uncertain. The Brave Privacy Team has acknowledged that Microsoft has made several security and privacy-enhancing modifications to Recall due to initial concerns.

However, the rapid emergence of bypasses to Microsoft’s initial fixes, such as CVE-2025-53770 and CVE-2025-53771, indicates an ongoing challenge for software developers in securing against such deep-level system monitoring.

Nonetheless, Brave’s action reinforces its commitment to user privacy by offering a strong default defence against features that could potentially log extensive personal data.

Brave Browser Blocks Microsoft Recall from Tracking Online Activity

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems.
The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603."
The threat actor attributed to the financially

Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems

National Nuclear Security Administration and National Institutes of Health targeted in global Microsoft SharePoint vulnerability exploitation. Chinese hacking groups suspected in widespread data breaches.

A recent global cyberattack campaign, exploiting critical vulnerabilities in Microsoft’s on-premise SharePoint software, has impacted several US government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA).

The breaches, which began around Friday, July 18, have prompted immediate action from affected organizations and a strong response from Microsoft, which attributes the attacks to groups linked to the Chinese government.

The NNSA, a division of the Department of Energy responsible for the nation’s nuclear weapons stockpile, confirmed it was affected, but stated that only a “very small number of systems” were impacted. Notably, no classified information was compromised due to NNSA’s widespread use of Microsoft M365 cloud services and strong cybersecurity systems, as reported by Bloomberg News.

“A very small number of systems were impacted. All impacted systems are being restored,” the agency stated.

Similarly, The Washington Post reported that the NIH, a major biomedical research funder, confirmed that at least one SharePoint server system was involved, with eight servers disconnected as a precaution. While one server was compromised, there is no indication that any sensitive information was stolen.

The Washington Post also noted that the California Independent System Operator, which manages most of California’s electric grid, was also targeted. The non-profit “did not confirm nor deny” the breach but confirmed taking immediate actions to contain the threat with no impact on grid reliability.

For your information, these attacks capitalize on a zero-day vulnerability in Microsoft SharePoint. Hackread.com has extensively covered this issue, Microsoft’s investigation and subsequent patches in its recent reports.

So far, what we know is that the vulnerabilities, identified as CVE-2025-49706, CVE-2025-49704, and a variant CVE-2025-53770, allow for network spoofing and remote code execution, giving unauthorized actors full access to SharePoint content, including file systems and internal configurations. These particular flaws affect SharePoint deployments hosted directly by customers, rather than Microsoft’s cloud-based SharePoint Online.

Microsoft has identified three distinct hacking groups, “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” all linked to the Chinese government, as being behind these exploitations. These groups are known for targeting government, business, and educational institutions worldwide. The FBI and other relevant agencies are currently investigating the full extent of the compromise.

A Chinese Foreign Ministry spokesperson, when asked about the accusations, stated that China “opposes and fights hacking activities in accordance with the law” and “oppose smears and attacks against China under the excuse of cybersecurity issues.”

Nevertheless, this incident intensifies scrutiny on Microsoft’s security protocols, especially given past criticisms regarding its core products’ vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA)is also facing criticism.

The agency is reportedly facing budget cuts and high staff turnover, which has possibly hampered the timely dissemination of threat warnings to state and local entities, leaving them more susceptible to such pervasive cyber campaigns.

National Nuclear Security Administration Systems Breached in SharePoint Cyberattack

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Tag

#microsoft