Author: Staff Writer

Quick Takeaways Strobes Security appoints Ed Adams, a cybersecurity industry veteran with over 20 years of leadership, as Strategic Advisor to bolster its US growth and enterprise cybersecurity offerings. Adams’s extensive experience includes leading Security Innovation, spinning off successful companies, and contributing to cybersecurity education and policy, making him a valuable asset for market expansion. He will focus on enhancing Strobes’s enterprise go-to-market strategy, channel partnerships, and adoption, leveraging his expertise in working with security buyers and guiding successful exits. The appointment underscores Strobes’s mission to operationalize exposure management through AI-driven solutions that simplify security operations and enable faster threat…

Summary Points AI-powered browsers like Perplexity’s Comet can be hijacked through hidden prompt injections, leading to unauthorized data access and actions without user awareness. These attacks exploit the AI’s inability to differentiate between legitimate instructions and embedded malicious prompts within web content. Traditional security measures fail because AI agents operate with user privileges across domains, bypassing same-origin policies and sandboxing. Organizations should implement dynamic SaaS security platforms to monitor, govern, and contain AI copilots’ access, ensuring protection against prompt-based exploits. When Your Browser Turns Against You: The Rise of AI Exploits Modern browsers are no longer just tools for viewing…

As Generative and agentic AI systems become core infrastructure, implementing continuous AI observability—capturing context, responses, and decision pathways—is essential for security, risk detection, and operational control. Unlike traditional software, AI systems are probabilistic and complex, requiring tailored telemetry such as user prompts, model responses, retrieval provenance, and conversation context to detect malicious activities or failures. Integrating AI observability into the Secure Development Lifecycle involves early instrumentation, maintaining full context, establishing behavioral baselines, and coupling with governance to ensure compliance and security. Proper AI observability enhances security teams’ ability to detect risks, reconstruct incidents, validate safeguards, and confidently deploy AI systems,…

Top Highlights The malware “SnappyClient” is a stealthy, C++-based command-and-control (C2) implant used primarily for data theft and remote system control, with capabilities like screenshots, keystroke logging, and file exfiltration. It employs sophisticated evasion techniques, including bypassing Microsoft’s AMSI, executing in 64-bit mode, making direct system calls, and decrypting communications with modern encryption, making detection challenging. Delivered via a modular loader called “HijackLoader” using social engineering tactics like fake websites or ClickFix methods, it establishes persistence and encrypts C2 traffic with ChaCha20-Poly1305 to evade network detection. Designed for long-term operations, SnappyClient can harvest credentials from multiple browsers, establish remote shells,…

Top Highlights Since late February, Cisco has disclosed nine critical vulnerabilities in its network edge products, with five already exploited in the wild, highlighting an urgent and widespread security crisis. Attackers exploited zero-day vulnerabilities in Cisco SD-WANs for at least three years before disclosure, and recent attacks involve low CVSS score flaws that still pose significant risks. Active exploitation includes ransomware campaigns like Interlock targeting Cisco firewalls, which gained a week’s head start with a zero-day to compromise organizations before detection. Experts warn that vulnerabilities in management-plane and control-plane devices at the network edge can undermine enterprise security, emphasizing the…

Fast Facts The Interlock ransomware group is actively exploiting a critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center to execute arbitrary Java code and compromise organizations globally. Amazon threat researchers discovered the attack 36 days before Cisco’s disclosure, revealing the group’s sophisticated tactics, including customized malware, memory-resident webshells, and Linux proxies, targeting sectors like healthcare and government. Attackers utilize advanced tools such as JavaScript and Java backdoors, PowerShell scripts, and legitimate utilities (e.g., ConnectWise, Volatility) to escalate privileges, maintain persistence, and exfiltrate data, often erasing logs and obscuring their activities. Immediate application of the latest security patches for…

Fast Facts DarkSword is a sophisticated full-chain iOS exploit utilizing six vulnerabilities—four of which are zero-days—to fully compromise iPhones running iOS 18.4 to 18.7, bypassing Apple’s security protections. It operates solely through JavaScript, enabling attackers to evade security layers like Page Protection Layer and Secure Page Table Monitor, and is actively used in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine. Post-exploitation malware families—GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE—are deployed, each designed for data exfiltration, device control, or espionage, with some modules downloaded at runtime to evade detection. Multiple threat actors, including state-sponsored groups and commercial surveillance vendors, have exploited DarkSword…

Summary Points Russian hacking group FancyBear inadvertently exposed its active espionage campaign by leaving a server open for over 500 days, revealing stolen emails, credentials, and contact data from several European government and military entities, including NATO members. The group bypassed two-factor authentication (2FA) stealthily by deploying a JavaScript malware inside authenticated webmail sessions, which captured and exfiltrated 2FA secrets and passwords without alerting victims. The campaign targeted high-value targets such as Ukrainian war crimes investigators and military organizations across Romania, Greece, Bulgaria, Serbia, and North Macedonia, signaling deliberate intelligence-driven efforts rather than opportunistic attacks. Organizations using Roundcube with the…

Fast Facts Two new, undocumented malware strains—CondiBot (a DDoS botnet) and Monaco (a crypto miner)—have emerged, targeting routers, IoT, and enterprise devices to facilitate large-scale attacks and crypto mining, with no prior detection on major platforms. These strains exploit vulnerabilities in network infrastructure, with attacks increasing eightfold and a median exploit-to-patch time of 30 days, highlighting a significant and evolving threat to network security. CondiBot infects Linux-based devices via multiple transfer methods, disables reboot utilities, and actively kills competing malware, making removal difficult and persistent. The lack of visibility into embedded firmware layers leaves most enterprise security tools blind to…

Quick Takeaways LeakNet is rapidly expanding its attack methods by replacing underground credential sales with broad-reaching social engineering tactics like ClickFix, which deceive users via fake verification pages on legitimate sites, increasing victim pool without relying on stolen credentials. The group employs a sophisticated, memory-only loader built on the Deno JavaScript runtime—using trusted tools like PowerShell and VBS scripts to run malicious code entirely in RAM, reducing detection by traditional security measures. LeakNet’s consistent post-exploitation process, regardless of initial entry method, offers identifiable behavioral signals, enabling defenders to detect and mitigate threats at specific points in the attack chain. To…