Guide to scale ready code security with event driven scans unified data and API first design for large teams seeking strong growth aligned control.

Choosing a security platform is more than just a feature-for-feature comparison. As organisations grow, the underlying architecture of their security tools becomes critically important. A solution that works for ten developers can quickly buckle under the weight of a hundred, leading to slow scans, missed alerts, and frustrated engineering teams. This is a common challenge for teams considering Cycode alternatives, as they seek solutions that can not only meet their immediate needs but also scale with their ambitions.

To successfully implement a code security platform at scale, you need more than just a good tool; you need the right architectural patterns. These patterns ensure that your security processes are decentralised, automated, and seamlessly integrated, allowing you to secure thousands of repositories and pipelines without creating a central bottleneck. This isn’t just about swapping out one tool for another; it’s about building a scalable blueprint for DevSecOps.

This guide explores the key architecture patterns that enable code security platforms to thrive at scale, providing a framework for evaluating and implementing a solution that will grow with you.

****Pattern 1: Decentralised, Event-Driven Scanning****

In a small organisation, it might be feasible to have a central security team manage scanning configurations and triage alerts. At scale, this model collapses. The “security as a service” model, where a central team is a gatekeeper, becomes a bottleneck that slows down development. A scalable architecture flips this model on its head.

**The Blueprint:** Instead of a centralised, polling-based system, a scalable architecture uses a decentralised, event-driven approach. This means security scanning is initiated by events happening within the development lifecycle itself.

*   **Event Triggers:** Scans are not run on a fixed schedule by a central server. Instead, they are triggered by webhooks from your Source Code Management (SCM) tool (like GitHub, GitLab, or Bitbucket). A git push to a new branch, a new pull request, or a merge to the main branch all become events that trigger targeted security scans.

*   **Ephemeral Runners:** When an event occurs, the CI/CD system spins up an ephemeral, or short-lived, runner to execute the scan. This containerised environment pulls the relevant code, runs the security analysis (SAST, SCA, IaC scanning), and then spins down. This is highly scalable, as you can run hundreds or thousands of scans in parallel without managing a fleet of dedicated scanning servers. For additional insight into microservices-based scalability, see Google Cloud’s guide to event-driven architecture. The CNCF’s guide on cloud native principles provides great context for why this ephemeral, microservices-based approach is so resilient. You can also explore Microsoft’s documentation on distributed event-driven architecture.

*   **Configuration as Code:** Scan configurations, policies, and rules are not managed through a central UI. Instead, they are defined in a simple configuration file (e.g., a YAML file) that lives inside each repository. This empowers individual teams to manage their own security settings within the context of their application, a concept often referred to as “Policy as Code.”

**Why It Scales:** This pattern removes the central security team as a bottleneck. It distributes the workload across your existing CI infrastructure and empowers development teams with the autonomy to manage their own security context, making the entire process faster and more efficient.

****Pattern 2: The Unified Data Model and “Single Pane of Glass”****

One of the biggest challenges with scaling security is tool sprawl. Teams often end up with one tool for SAST, another for SCA, a third for secrets detection, and a fourth for IaC scanning. This creates data silos. The alerts from these disparate tools lack context, making it impossible to prioritise effectively.

**The Blueprint:** A scalable architecture relies on a platform that can ingest findings from various security scanners into a unified data model. Whether you’re using an all-in-one solution or integrating best-of-breed scanners, the goal is to have a single place where all security data is normalised, deduplicated, and correlated.

*   **Normalisation:** The platform should translate alerts from different tools into a standard format. A “critical” vulnerability from your SAST scanner should be comparable to a “critical” one from your SCA tool.

*   **Deduplication:** A good system will recognise when the same vulnerability is found in multiple branches or by different scan types, presenting it as a single, persistent issue rather than a flood of duplicate alerts.

*   **Correlation:** The true power comes from correlating data. For example, the platform can link a vulnerability in an open-source library (SCA finding) to the specific lines of code in your repository that use it (SAST context). This tells you if the vulnerability is actually reachable and exploitable, allowing you to prioritise real risks over theoretical ones.

For deeper perspectives on the value of unified security data management and prioritisation, see Google’s commentary on unified security data lakes and SANS’s guide to vulnerability management prioritisation.

**Why It Scales:** A unified data model turns noise into signal. At scale, you will be dealing with tens of thousands of potential security findings. Without a way to prioritise, your teams will be paralysed by alert fatigue. A “single pane of glass” that provides this rich context is essential for focusing remediation efforts on the issues that matter most.

****Pattern 3: The API-First, Hub-and-Spoke Integration Model****

A scalable security platform doesn’t try to be everything to everyone. It acknowledges that it is one part of a larger, complex toolchain. An architecture built for scale is designed to integrate, not dictate.

**The Blueprint:** The platform should be built with an API-first philosophy. Every feature available in the UI should also be accessible via a well-documented REST API. This allows you to treat the security platform as a central “hub” that connects to other tools in a “hub-and-spoke” model. For an in-depth look at API-first design principles and their benefits in building extensible systems, see the Google Cloud API Design Guide. Additionally, organisations adopting integrated DevSecOps workflows may benefit from the guidance offered in the OpenAPI Initiative documentation, which supports API standardisation in complex environments.

*   **Source of Truth:** The security platform acts as the central source of truth for all security findings.

*   **CI/CD Spoke:** Your CI/CD pipeline (the spoke) communicates with the hub via API to trigger scans and retrieve results.

*   **Ticketing Spoke:** The hub integrates with ticketing systems like Jira or Azure DevOps. When a high-priority vulnerability is found, the platform’s API can automatically create a ticket, assign it to the right team, and populate it with all the necessary context.

*   **Notification Spoke:** The hub connects to Slack or Microsoft Teams to send targeted, actionable notifications to the developers responsible for the code.

*   **Business Intelligence Spoke:** The API allows you to pull data into BI tools like Tableau or Power BI to create custom dashboards and reports for leadership, tracking metrics like Mean Time to Remediate (MTTR). For more on key DevSecOps metrics, GitLab’s DevSecOps survey often has valuable insights.

**Why It Scales:** An API-first, hub-and-spoke model makes the security platform incredibly flexible and extensible. It allows you to embed security information into the tools your teams already use, creating a seamless and automated workflow that can adapt as your organisation’s toolchain evolves.

When evaluating alternatives to any security platform, look beyond the feature list. Examine the underlying architecture. A solution built on decentralised scanning, a unified data model, and API-first principles won’t just solve today’s problems; it will provide a robust foundation for a secure and scalable development lifecycle for years to come.

(Photo by Wesley Ford on Unsplash)

Architecture Patterns That Enable Cycode alternatives at Scale

We’ve seen a new wave of attacks exploiting legitimate Remote Monitoring and Management (RMM) tools to remotely control victims’ systems.

A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims’ systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses–disguising them as everyday utilities. Once installed, the tool gives attackers full remote access to the victim’s machine, evading many conventional security detections because the software itself is legitimate.

We’ve recently noticed an uptick in our telemetry for the detection name RiskWare.MisusedLegit.GoToResolve, which flags suspicious use of the legitimate GoToResolve/LogMeIn Resolve RMM tool.

Our data shows the tool was detected with several different filenames. Here are some examples from our telemetry:

The filenames also provide us with clues about how the targets were likely tricked into downloading the tool.

Here’s an example of a translated email sent to someone in Portugal:

As you can see, hovering over the link shows that it points to a file uploaded to Dropbox. Using a legitimate RMM tool and a legitimate domain like dropbox\[.\]com makes it harder for security software to intercept such emails.

Other researchers have also described how attackers set up fake websites that mimic the download pages for popular free utilities like Notepad++ and 7-Zip.

Clicking that malicious link delivers an RMM installer that’s been pre-configured with the attacker’s unique “CompanyId”–a hardcoded identifier tying the victim machine directly to the attacker’s control panel.

This ID lets them instantly spot and connect to the newly infected system without needing extra credentials or custom malware, as the legitimate tool registers seamlessly with their account. Firewalls and other security tools often allow their RMM traffic, especially because RMMs are designed to run with admin privileges. The result is that malicious access blends in with normal IT admin traffic.

**How to stay safe**

By misusing trusted IT tools rather than conventional malware, attackers are raising the bar on stealth and persistence. Awareness and careful attention to download sources are your best defense.

*   Always download software directly from official websites or verified sources.
*   Check file signatures and certificates before installing anything.
*   Verify unexpected update prompts through a separate, trusted channel.
*   Keep your operating system and software up to date.
*   Use an up-to-date, real-time anti-malware solution. Malwarebytes for Windows now includes Privacy Controls that alert you to any remote-access tools it finds on your desktop.
*   Learn how to spot social engineering tricks used to push malicious downloads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 How attackers use real IT tools to take over your computer 

Koi Security exposes ShadyPanda, a group that used trusted Chrome/Edge extensions to infect 4.3 million users over 7 years for deep surveillance and corporate espionage.

Cybersecurity researchers at Koi Security have exposed a massive espionage operation by a group named ShadyPanda that infected over 4.3 million Chrome and Microsoft Edge browser users over approximately seven years. The attackers used a highly patient and sneaky tactic: they uploaded normal-looking extensions, gained user trust, and then quietly converted them into dangerous spyware.

The investigation found two major operations, including a 300,000-user remote code execution (RCE) backdoor using extensions like Clean Master and a separate 4-million-user spyware campaign led by extensions such as WeTab.

****The Evolution of Deception****

ShadyPanda’s success relied on exploiting trust over time, beginning with simple cybercrime. In 2023, the group ran its first large campaign using 145 extensions (disguised as wallpaper or productivity apps) under names like ‘nuggetsno15’ and ‘Zhang’ to conduct affiliate fraud.

They added tracking codes to links for sites like eBay and Amazon, generating hidden commissions. In 2024, they grew bolder, moving to actively control the browser, redirecting searches through a known hijacker called trovi.com and stealing real-time search data. To avoid detection, the malware would also switch to benign behaviour if a security researcher opened the browser’s developer tools.

****The Two Major Active Threats****

**Threat 1: The RCE Backdoor Attack (300,000 Users)**

This operation employed the “long game” by exploiting extensions that had operated legitimately for years. Some, like Clean Master (with over 300,000 installs), had even earned Google’s “Featured” and “Verified” statuses. Then, in mid-2024, a silent update transformed them. This meant the automatic update feature, designed for user security, became an easy attack vector for the malware without anyone noticing.

These updated extensions effectively became a backdoor using Remote Code Execution (RCE), allowing the attacker to run any program remotely on an infected computer. The extensions checked an outside server hourly for new commands. This enabled ShadyPanda to monitor nearly everything, from every website you visited to collecting a complete “fingerprint” of your browser, Koi Security’s blog post explains.

Source: Koi Security

**Threat 2: The Spyware Empire (4 Million Users)**

A separate, massive operation involved five other extensions, including WeTab (with three million installs alone), that actively collected data. This included every URL visited, all search queries, and even mouse clicks, with the data being sent to servers in China.

Source: Koi Security

The threat isn’t just limited to individual users. For companies, an infected computer could lead to stolen API keys and compromised internal systems.

This long-running attack exposed a critical weakness: official marketplaces focus too heavily on the initial submission of an extension rather than monitoring its behaviour later. This allowed ShadyPanda to patiently build a massive user base before launching the strike.

The key takeaway is that trust itself proved to be the biggest vulnerability. Users must be cautious of the extensions they install, even those with high ratings, to prevent the next silent attack.

Cybersecurity experts commented on the significance of the ShadyPanda operation, emphasising its risk to businesses. Randolph Barr, Chief Information Security Officer at Cequence Security, highlighted the strategic nature of the attackers.

“The most recent acts of ShadyPanda reveal that they are part of one of the most advanced and long-running browser supply chain efforts we’ve seen. Not only are the technical aspects important, but so is the patience,” said Barr.

He noted how the group leveraged trust, stating, “ShadyPanda demonstrated their commitment to long-term strategies by releasing clean extensions that garnered hundreds of thousands of installs, earning Google’s ‘Featured’ and ‘Verified’ trust badges, and leveraging these badges through consistent updates years later.”

Diane Downie, Senior Software Architect at Black Duck, focused on the difficulty of detection and the need for stricter security: “Malicious code poses a real challenge since it closely resembles legitimate code, leveraging the same convenience features but with bad intent… The ShadyPanda incident shows just how far those bad actors are willing to go.”

She advised organisations to adopt a tougher stance: “As this level of sophistication fast becomes the new normal, organisations need to take a serious zero-trust posture with their systems.”

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, pointed out a flaw in standard security practices: “ShadyPanda learned that Chrome’s review process, like most enterprise security teams, are focused on initial submissions… and not ongoing behaviour after initial approval.”

He concluded that modern attackers are strategic and patient: “The scariest ones play the long game… requiring continuous vigilance to detect and defend against.”

7 Year Long ShadyPanda Attack Spied on 4.3M Chrome and Edge Users

After seven years of acting like normal add-ons, five popular Chrome and Edge extensions with millions of installs suddenly turned malicious.

Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed on roughly 4.3 million Chrome and Edge users’ devices suddenly went rogue. Now they can track what you browse and run malicious code inside your browser.

The researchers found five extensions that operated cleanly for years before being weaponized in mid-2024. The developers earned trust, built up millions of installs, and even collected “Featured” or “Verified” status in the Chrome and Edge stores. Then they pushed silent updates that turned these add-ons into spyware and malware.

The extensions turned into a remote code execution framework. They could download and run malicious JavaScript inside the browser and collect information about visited sites and the user’s browser, sending it all back to attackers believed to be based in China.

One of the most prevalent of these extensions is WeTab, with around three million installs on Edge. It acts as spyware by streaming visited URLs, search queries, and other data in real time. The researchers note that while Google has removed the extensions, the Edge store versions are still available.

Playing the long game is not something cybercriminals usually have the time or patience for.

The researchers attributed the campaign to the ShadyPanda group, which has been active since at least 2018 and launched their first campaign in 2023. That was a simpler case of affiliate fraud, inserting affiliate tracking codes into users’ shopping clicks.

What the group did learn from that campaign was that they could get away with deploying malicious updates to existing extensions. Google vets new extensions carefully, but updates don’t get the same attention.

It’s not the first time we’ve seen this behavior, but waiting for years is exceptional. When an extension has been available in the web store for a while, cybercriminals can insert malicious code through updates to the extension. Some researchers refer to the clean extensions as “sleeper agents” that sit quietly for years before switching to malicious behavior.

This new campaign is far more dangerous. Every infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access.

**How to find malicious extensions manually**

The researchers at Koi shared a long list of Chrome and Edge extension IDs linked to this campaign. You can check if you have these extensions in your browser:

**In Chrome**

1.  Open Google Chrome.
2.  In the address bar at the top, type **chrome://extensions/** and press **Enter**.​ This opens the Extensions page, which shows all extensions installed in your browser.​
3.  At the top right of this page, turn on **Developer mode**.
4.  Now each extension card will show an extra line with its **ID.**​
5.  Press **Ctrl+F** (or **Cmd+F** on Mac) to open the search box and paste the ID you’re checking (e.g. eagiakjmjnblliacokhcalebgnhellfi) into the search box.

If the page scrolls to an extension and highlights the ID, it’s installed. If it says _No results found_, it isn’t in that Chrome profile.​

If you see that ID under an extension, it means that particular add‑on is installed for the current Chrome profile.​

To remove it, click **Remove** on that extension’s card on the same page.

**In Edge**

Since Edge is a Chromium browser the steps are the same, just go to **edge://extensions/** instead.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 “Sleeper” browser extensions woke up as spyware on 4 million devices 

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.
GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm,

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.

GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities.

The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories.

The latest wave of the GlassWorm campaign, spotted by Secure Annex's John Tuckner, involves a total of 24 extensions spanning both repositories. The list of identified extensions is below -

VS Code Marketplace:

*   iconkieftwo.icon-theme-materiall
*   prisma-inc.prisma-studio-assistance (removed as of December 1, 2025)
*   prettier-vsc.vsce-prettier
*   flutcode.flutter-extension
*   csvmech.csvrainbow
*   codevsce.codelddb-vscode
*   saoudrizvsce.claude-devsce
*   clangdcode.clangd-vsce
*   cweijamysq.sync-settings-vscode
*   bphpburnsus.iconesvscode
*   klustfix.kluster-code-verify
*   vims-vsce.vscode-vim
*   yamlcode.yaml-vscode-extension
*   solblanco.svetle-vsce
*   vsceue.volar-vscode
*   redmat.vscode-quarkus-pro
*   msjsdreact.react-native-vsce

Open VSX:

*   bphpburn.icons-vscode
*   tailwind-nuxt.tailwindcss-for-react
*   flutcode.flutter-extension
*   yamlcode.yaml-vscode-extension
*   saoudrizvsce.claude-dev
*   saoudrizvsce.claude-devsce
*   vitalik.solidity

The attackers have been found to artificially inflate the download counts to make the extensions appear trustworthy and cause them to prominently appear in search results, often in close proximity to the actual projects they impersonate to deceive developers into installing them.

"Once the extension has been approved initially, the attacker seems to easily be able to update code with a new malicious version and easily evade filters," Tuckner said. "Many code extensions begin with an 'activate' context, and the malicious code is slipped in right after the activation occurs."

The new iteration, while still relying on the invisible Unicode trick, is characterized by the use of Rust-based implants that are packaged inside the extensions. In an analysis of the "icon-theme-materiall" extension, Nextron Systems said it comes with two Rust implants that are capable of targeting Windows and macOS systems -

*   A Windows DLL named os.node
*   A macOS dynamic library named darwin.node

As observed in the previous GlassWorm infections, the implants are designed to fetch details of the C2 server from a Solana blockchain wallet address and use it to download the next-stage payload, an encrypted JavaScript file. As a backup, they can parse a Google Calendar event to fetch the C2 address.

"Rarely does an attacker publish 20+ malicious extensions across both of the most popular marketplaces in a week," Tuckner said in a statement. "Many developers could easily be fooled by these extensions and are just one click away from compromise."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools

Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper.
The activity has been attributed by ESET to a hacking group known as MuddyWater (aka Mango

Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper.

The activity has been attributed by ESET to a hacking group known as **MuddyWater** (aka Mango Sandstorm or TA450), a cluster assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). The attacks also singled out one technology company based in Egypt.

The hacking group first came to light in November 2017, when Palo Alto Networks Unit 42 detailed targeted attacks against the Middle East between February and October of that year using a custom backdoor dubbed POWERSTATS. It's also known for its destructive attacks on Israeli organizations using a Thanos ransomware variant called PowGoop as part of a campaign referred to as Operation Quicksand.

According to data from the Israel National Cyber Directorate (INCD), MuddyWater's attacks have aimed at the country's local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).

Typical attack chains involve techniques like spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools – a long-favored approach of MuddyWater. However, at least since May 2024, the phishing campaigns have delivered a backdoor known as BugSleep (aka MuddyRot).

Some of the other notable tools in its arsenal include a Blackout, a remote administration tool (RAT); AnchorRat, a RAT that offers file upload and command execution features; CannonRat, a RAT that can receive commands and transmit information; Neshta, a known file infector virus; and Sad C2, a command-and-control (C2) framework that delivers a loader called TreasureBox, which deploys the BlackPearl RAT for remote control, and a binary known as Pheonix to download payloads from the C2 server.

The cyber espionage group has a track record of striking a wide range of industries, specifically governments and critical infrastructure, using a mix of custom malware and publicly available tools. The latest attack sequence begins, as in previous campaigns, with phishing emails containing PDF attachments that link to legitimate remote desktop tools like Atera, Level, PDQ, and SimpleHelp.

The campaign is marked by the use of a loader named Fooder that's designed to decrypt and execute the C/C++-based MuddyViper backdoor. Alternatively, the C/C++ loader has also been found to deploy go-socks5 reverse tunneling proxies and an open-source utility called **HackBrowserData** to collect browser data from several browsers, with the exception of Safari in Apple macOS.

"MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data," the Slovak cybersecurity company said in a report shared with The Hacker News.

In all, the backdoor supports 20 commands that facilitate covert access and control of infected systems. A number of Fooder variants impersonate the classic Snake game, while incorporating delayed execution to evade detection. MuddyWater's use of Fooder was first highlighted by Group-IB in September 2025.

Also used in the attacks are the following tools -

*   VAXOne, a backdoor that impersonates Veeam, AnyDesk, Xerox, and the OneDrive updater service
*   CE-Notes, a browser-data stealer that attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers (shares similarities with the open-source **ChromElevator** project)
*   Blub, a C/C++ browser-data stealer that gathers user login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera
*   LP-Notes, a credential stealer written in C/C++ that tricks users into entering their system username and password by displaying a fake Windows Security dialog

"This campaign indicates an evolu/on in the opera/onal maturity of MuddyWater," ESET said. "The deployment of previously undocumented components – such as the Fooder loader and MuddyViper backdoor – signals an effort to enhance stealth, persistence, and credential harvesting capabilities."

**Charming Kitten Leaks**

The disclosure comes weeks after the Israel National Digital Agency (INDA) attributed Iranian threat actors known as APT42 to attacks targeting individuals and organizations of interest in an espionage-focused campaign named SpearSpecter. APT42 is believed to share overlaps with another hacking group tracked as APT35 (aka Charming Kitten and Fresh Feline).

It also follows a massive leak of internal documents that has exposed the hacking group's cyber operations, which, according to British-Iranian activist Nariman Gharib, feeds into a system designed to locate and kill individuals deemed a threat to Iran. It's linked to the Islamic Revolutionary Guard Corps (IRGC), specifically its counterintelligence division known as Unit 1500.

"The story reads like a horror script written in PowerShell and Persian," FalconFeeds said, adding the leak reveals "a complete map of Iran's IRGC Unit 1500 cyber division."

The data dump was posted to GitHub in September and October 2025 by an anonymous collective named **KittenBusters**, whose motivations remain unknown. Notably, the trove identifies Abbas Rahrovi, also known as Abbas Hosseini, as the operation's leader, and alleges that the hacking unit is managed through a network of front companies.

Perhaps one of the other most consequential revelations is the release of the entire source code associated with the BellaCiao, which was flagged by Bitdefender in April 2023 as used in attacks targeting companies in the U.S., Europe, the Middle East, and India. Per Gharib, the backdoor is the work of a team operating from the Shuhada base in Tehran.

"The leaked materials reveal a structured command architecture rather than a decentralized hacking collective, an organization with distinct hierarchies, performance oversight, and bureaucratic discipline," DomainTools said.

"The APT35 leak exposes a bureaucratized cyber-intelligence apparatus, an institutional arm of the Iranian state with defined hierarchies, workflows, and performance metrics. The documents reveal a self-sustaining ecosystem where clerks log daily activity, quantify phishing success rates, and track reconnaissance hours. Meanwhile, technical staff test and weaponize exploits against current vulnerabilities."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks

Bethesda, USA / Maryland, 2nd December 2025, CyberNewsWire

**Bethesda, USA / Maryland, December 2nd, 2025, CyberNewsWire**

While most cybersecurity companies pour resources into AI models, massive compute, hoovering up all the data, and enhanced analytics to detect and prevent threats, Frenetik, a Maryland cyber startup, is betting on something simpler: making sure attackers don’t know what defenders know.

The company emerged today with a fundamentally different approach using novel cyber deception and a newly issued U.S. patent to back it.

> “The industry has turned cybersecurity into a compute and analysis war,” said founder Hans Ismirnioglou. “Bigger models, more data, faster analysis. But you can’t out-compute or out-analyze an adversary forever. We’re not trying to. We’re exploiting information asymmetry.”

Traditional deception tools deploy fake systems, wait for attackers to find them, and hope they interact. Frenetik’s patented “Deception In-Use” technology (U.S. Patent 12,463,981 – “Systems and Methods for Counter-Reconnaissance in Cloud Infrastructure to Disrupt Adversarial Targeting”) takes a different path: it continuously rotates actually used identities and resources across Microsoft Entra (M365), AWS, Google Cloud, and on-premises environments. The critical details of who changed, what changed, when, where, and how travel through out-of-band channels accessible only to trusted parties.

> Defenders stay informed. Attackers work from stale intelligence. “Adversaries, especially AI-driven ones, build models based on reconnaissance. They assume the environment they mapped earlier is the environment they’ll exploit today,” Ismirnioglou explained. “We break that assumption without needing a bigger GPU cluster by simply depriving them of easily discoverable information.”

Users can think of it as musical chairs for hackers: by the time they figure out where to sit, everything has moved—and only defenders know which chairs are real and which have become traps.

The technology transforms existing deception tools from passive traps into active ones. When Frenetik rotates real resources, attackers following stale intelligence get funneled straight into honeypots and decoys, supercharging interaction rates with classic deception elements that previously only hoped to look real. Unlike solutions requiring extensive tuning or analyst oversight, Frenetik works because attackers simply lack the information needed to know the difference.

> “I want the adversary to have to continuously put a dedicated body onto every target they go after – no more free lunches or easy days for America’s adversaries,” says Ismirnioglou.

**About Frenetik**

Frenetik, a Maryland-based cybersecurity startup, just emerged from stealth with a new approach: instead of flooding defenders with more data, it starves attackers of the information they need to move. Focused on measurable security outcomes, and pricing transparency, Frenetik is built to tip the balance of power by denying adversaries trustworthy insight into targeted environments. Frenetik offers a free community version at www.frenetik.us.

**Contact**

**Founder**  
**Hans Ismirnioglou**  
**Frenetik**  
**\[email protected\]**

Cyber Startup Frenetik Launches with Patented Deception Technology That Bets Against the AI Arms Race

Google’s December update fixes two Android bugs that criminals are actively exploiting. Update as soon as you can.

Google has patched 107 vulnerabilities in Android in its December 2025 Android Security Bulletin, including two high-severity flaws that are being actively exploited.

The December updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, but that doesn’t always mean the patches reach every device right away.

You can check your device’s Android version, security update level, and Google Play system update in **Settings**. You should get a notification when updates are ready for you, but you can also check for them yourself.

For most phones, go to **About phone** or **About device**, then tap **Software updates** to see if anything new is available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows a patch level of **2025-12-05** or later, these issues are fixed.

Keeping your device up to date protects you from known vulnerabilities and helps you stay safe.

**Technical details**

The two actively exploited vulnerabilities were found in the Android application framework layer. This is the set of core Java/Kotlin APIs, system services, and components that apps are built on top of.

The Android framework is a large collection of prebuilt classes, interfaces, and services that provide higher‑level access to operating system (OS) functionality such as activities, views, notifications, storage, networking, sensors, and so on. App code calls these framework APIs, which in turn talk to lower layers like system services, native libraries, and the kernel.

The vulnerabilities that are under limited, targeted active exploitation are tracked as:

*   CVE-2025-48633: Details are limited. There’s no published CVSS score yet to indicate the threat level, let alone how easy it is to exploit. All Google revealed is that the flaw was found in the Framework layer and that it rated it as a “High severity” flaw. One source suggests it stems from improper input validation that could let a local application gain access to sensitive information.

*   CVE-2025-48572 (CVSS score 7.4 out of 10): The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

**How to stay safe**

From the available information, attackers would need to trick a user into installing a malicious app that could then access sensitive data and run code on the device.

Which is another good reason to follow these safety precautions:

*   Only install apps from official app stores whenever possible and avoid installing apps promoted in links in SMS, email, or messaging apps.
*   Before installing finance‑related or retailer apps, verify the developer name, number of downloads, and user reviews rather than trusting a single promotional link.
*   Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
*   Scrutinize permissions. Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
*   Keep Android, Google Play services, and all important apps up to date so you get the latest security fixes.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Google patches 107 Android flaws, including two being actively exploited 

Vulnerability management is a core component of every cybersecurity strategy. However, businesses often use thousands of software without realising it (when was the last time you checked?), and keeping track of all the vulnerability alerts, notifications, and updates can be a burden on resources and often leads to missed vulnerabilities. 
Taking into account that nearly 10% of

Vulnerability management is a core component of every cybersecurity strategy. However, businesses often use thousands of software without realising it (when was the last time you checked?), and keeping track of all the vulnerability alerts, notifications, and updates can be a burden on resources and often leads to missed vulnerabilities.

Taking into account that nearly 10% of vulnerabilities were exploited in 2024, a multitude of possible – detrimental – breaches could occur if immediate remediation doesn't take place.

Businesses need a service that delivers relevant and actionable vulnerability information as soon as possible, saving your business valuable time and resources. Traditional vulnerability management products are often expensive and come with a suite of services, many of which are not needed by businesses, especially those on a budget.

****A Smarter Way to Track Vulnerabilities****

SecAlerts is streamlined, easy-to-use, affordable and works in the background 24/7. It matches vulnerabilities to your software, using information as soon as it's released, rather than relying solely on NVD and its possible delays.

SecAlerts isn't invasive. It doesn't scan your network and nothing is installed on your system. Everything is done remotely in the Cloud. You list your software with SecAlerts and are sent vulnerability alerts relevant to that software.

Cybersecurity teams are often faced with the noise brought about by manually sifting through mountains of vulnerability information. SecAlerts prevents this and allows you to filter out the noise, so you only receive alerts you want to see. If you want to view critical Google vulnerabilities with a CVSS of 8 - 10 that have been exploited in the past two weeks, you can.

****How SecAlerts Works****

SecAlerts uses three core components – Stacks, Channels, and Alerts – in order for you to receive vulnerability information.

**Stacks** – upload your software, either manually, via a CSV, XLSX, or SPDX file, or run a stack-building script that automatically generates a full Software Bill of Materials (SBOM) and sends it to SecAlerts. The system supports multiple endpoints, repositories, and custom collections.

**Channels** – pinpoint those in your business who need to see the vulnerability information and choose how it's delivered: email, Slack, Teams, Jira, or Webhook.

**Alerts –** bring your Stacks and Channels together. Choose the frequency of notifications – from hourly to monthly – and apply filters such as severity, trending, exploited, and EPSS.

\*This three-step process is in place so, if need be, the same stack can be sent – with personalised settings – to more than one person, rather than uploading the same stack multiple times.

SecAlerts filters out the noise and delivers relevant, actionable, up-to-the-minute vulnerability alerts directly to you in a range of affordable plans. Try SecAlerts' free 30-day trial and get 50% off any one-year plan (code HACKERNEWS25).

****SecAlerts Feed****

When you have added your software, the vulnerabilities for that software populate your Feed, which shows information specific to those vulnerabilities. You can reduce the noise with our filters, so only the relevant vulnerabilities are highlighted. Along with your Stacks, Channels, and Alerts, you will see:

*   Vulnerabilities affecting your software over any period of time you choose.
*   A bar graph showing the vulnerabilities for that same period of time, colour-coded to show their severity.
*   The vulnerability information is broken down into tags e.g. vendor, source.

When you open 'More details' for each vulnerability, further information is displayed:

*   Vulnerabilities affecting your software over any period of time you choose.
*   Extended data for each vulnerability, including its source e.g. Mitre, Microsoft.
*   Which software and versions have been affected, as well as any remedy information.
*   Reference links for each vulnerability.

Below your Feed is **Insights**, which displays real-time vulnerability intelligence and risk analytics specific to your software. It highlights such things as key trends, risk patterns, and emerging threats across your software.

If you are an MSSP or your business has, e.g., several departments, each with its own software, **Properties** enables you to give each client/department its own Stacks, Channels, and Alerts unique to them. This allows you to manage everything in one place and maintain clear separation between clients/departments.

An integrated **Event Log** ensures full auditability, while downloadable reports support compliance, auditing, and executive communication.

SecAlerts offers an **API** for programmatic access and automated integration into existing tooling.

****A Time-Saving Solution for Overworked Security Teams****

SecAlerts serves a diverse global client base spanning numerous industries across five continents. Many of these integrate the platform into and alongside other cybersecurity products, thanks to its powerful noise-filtering capabilities and ability to deliver vulnerability intelligence when and how they want, all at a cost-effective price point.

_"SecAlerts is a game-changer,"_ stated one US client. _"The alerts are timely, relevant, and actionable – allowing us to stay ahead of threats and enhance protection for both our organisation and our clients."_

****Free 30-Day Trial****

SecAlerts works in the background 24/7 and saves your business valuable time and resources.

Try our free 30-day trial and use the code HACKERNEWS25 when you pay to receive 50% off a one-year SecAlerts subscription.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SecAlerts Cuts Through the Noise with a Smarter, Faster Way to Track Vulnerabilities

Menlo Park, USA, 2nd December 2025, CyberNewsWire

**Menlo Park, USA, December 2nd, 2025, CyberNewsWire**

Travel and hospitality industry leader **Sonesta International Hotels** partners with AccuKnox to deploy Zero Trust Integrated Application and Cloud Security for Microsoft Azure.

**AccuKnox****, Inc.**, announced that Sonesta International Hotels has partnered with AccuKnox to deploy Zero Trust CNAPP.

**Gartner Group, in its 2024 findings, reported that security leaders should:**

*   Adopt CNAPP offerings to safeguard cloud-native applications and counter the growing attack surface. These solutions protect against threats in the runtime environment, mitigate misconfigurations in cloud infrastructure, and streamline security integration and collaboration throughout the overall development experience.
*   Leverage CNAPP to strengthen defenses against network attacks, compute, storage, identities, permissions, APIs, and the software supply chain, thereby mitigating potential risks and safeguarding critical assets.
*   Prioritize solutions that cater to the increasing operational responsibilities of developers and cloud architects

Furthermore, Gartner opined that enterprises that do not employ a unified CNAPP will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.

In its 2024 report on Vulnerability Management, Gartner advised organizations to implement an RVBM (Risk-based Vulnerability Management) and conduct CTEM (Continuous Threat Exposure Management) to achieve actionability, risk control, security integration, and prioritization. 

Sonesta Security Engineering and Cloud Platform DevOps leaders were focused on implementing an integrated application security and cloud security platform with the following goals/objectives:

*   Multi-Cloud misconfigurations with a focus on reducing Alert Deluge
*   Compliance conformance against CIS, SOC2 Type II, NIST, MITRE, PCI across Multi-Cloud Infrastructure
*   DevSecOps with SAST, DAST & IaC security integrations with Azure DevOps
*   Automation of the Findings & Ticketing Lifecycle

Sonesta conducted an extensive POC (Proof of Concept) with multiple vendors and selected AccuKnox for the following reasons:

*   Multi-cloud misconfiguration detection 
*   Special focus on toxic combinations. 
*   Continuous Compliance visibility against cloud in CIS, SOC2 Type II, NIST, MITRE, PCI across Multi-Cloud Infrastructure
*   Consolidated view of the DevSecOps with SAST, DAST & IaC security integrations with Azure DevOps pipeline
*   45% reduction in the Engineering efforts due to the Automation of Findings & Ticketing Lifecycle

**Supporting Quotes**

> “We are thrilled that an industry leader like Sonesta chose us for their integrated Zero Trust ASPM/CNAPP platform. Their vision and strategy are very well aligned with ours, and we look forward to a great partnership”,

**Nat Natraj, co-founder and CEO, AccuKnox.**

> “We conducted an extensive evaluation of best-in-class vendors in the industry and selected AccuKnox based on their comprehensive features, ease of deployment, ease of use, 3rd party integrations, and real-time security to prevent advanced zero-day attacks. Their strong roadmap offerings in API Security, AI/LLM Security made AccuKnox the best choice for an integrated AppSec/CloudSec platform”

**David Billeter, Cybersecurity Leader, Sonesta International Hotels.**

**About** **AccuKnox**

AccuKnox provides a Zero Trust CNAPP Security platform that secures public clouds, private clouds, edge/IoT & 5G assets. AccuKnox is funded by leading security investors like National Grid Partners, MDSV, Avanta Venture Partners, Dolby Family Ventures, DreamIT Ventures, 5G Open Innovation Lab, and Seedop. AccuKnox was formed in partnership with SRI International (previously Stanford Research Institute) and has seminal patents on different aspects of Zero Trust security. 

**About Sonesta International Hotels**

Sonesta is the 8th largest hotel company in the U.S., according to Smith Travel Research (STR), with approximately 1,100 properties totaling 100,000 guest rooms across 13 brands in eight countries. Sonesta owns, manages, and/or franchises under The Royal Sonesta; The James, Classico Collection by Sonesta, Sonesta Hotels, Resorts & Cruises; MOD Collection by Sonesta, Sonesta Select Hotels; Sonesta Essential Hotels, Sonesta ES Suites, Sonesta Simply Suites, Red Lion Hotels, Inns & Suites by Sonesta; Signature Inn by Sonesta; Americas Best Value Inn by Sonesta; and Canada’s Best Value Inn by Sonesta.

**Contact**

**Syed Hadi**  
**AccuKnox**  
**\[email protected\]**

Tag

#microsoft