CyberSecurity news

FlagThis - #microsoft

@blog.redteam-pentesting.de //
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.

Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.

The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.

Recommended read:
References :
  • bsky.app: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • Catalin Cimpanu: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • securityonline.info: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • blog.redteam-pentesting.de: Reflective Kerberos Relay Attack
  • www.synacktiv.com: NTLM reflection is dead, long live NTLM reflection: An in-depth analysis of CVE-2025
  • Daily CyberSecurity: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • infosecwriteups.com: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation

@socprime.com //
A critical zero-click AI vulnerability, dubbed "EchoLeak," has been discovered in Microsoft 365 Copilot, potentially allowing attackers to exfiltrate sensitive data without any user interaction. The vulnerability, identified as CVE-2025-32711, has been assigned a CVSS score of 9.3. Aim Security, the firm that discovered and reported the vulnerability, described it as an instance of a Large Language Model (LLM) Scope Violation, paving the way for indirect prompt injection and leading to unintended behavior. This allows attackers to automatically exfiltrate sensitive and proprietary information from Microsoft 365 Copilot's context without any specific action from the user, relying on Copilot's default behavior to combine and process content.

The attack sequence involves an attacker sending an innocuous-looking email containing a malicious prompt payload to an employee's Outlook inbox. When the user asks Microsoft 365 Copilot a business-related question, the system mixes the untrusted attacker input with sensitive data to the LLM context through its Retrieval-Augmented Generation (RAG) engine. This process results in Copilot leaking private data to the attacker via Microsoft Teams and SharePoint URLs. This means attackers can exploit a flaw where Copilot doesn't isolate trust boundaries when processing content from Outlook and SharePoint, turning a helpful automation feature into a potential data leak.

Microsoft has addressed the EchoLeak vulnerability and released an advisory stating that no further action is needed by customers. The company has implemented defense-in-depth measures and updated its products to mitigate the issue. While there is no evidence of malicious exploitation in the wild, the discovery highlights the importance of ongoing security research and proactive measures to protect AI-powered systems from potential vulnerabilities. Microsoft expressed appreciation to Aim Labs for responsibly reporting the issue, enabling them to address it before any customers were impacted.

Recommended read:
References :
  • cyberinsider.com: EchoLeak Zero-Click AI Attack in Microsoft Copilot Exposes Company Data
  • hackread.com: Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • socprime.com: CVE-2025-32711 Vulnerability: “EchoLeak†Flaw in Microsoft 365 Copilot Could Enable a Zero-Click Attack on an AI Agent
  • The Hacker News: Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • SOC Prime Blog: CVE-2025-32711 Vulnerability: “EchoLeakâ€� Flaw in Microsoft 365 Copilot Could Enable a Zero-Click Attack on an AI Agent
  • www.cybersecuritydive.com: Critical flaw in Microsoft Copilot could have allowed zero-click attack

info@thehackernews.com (The@The Hacker News //
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.

Recommended read:
References :
  • Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
  • The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
  • Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
  • ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
  • www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
  • Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
  • BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
  • Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
  • www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
  • bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.

@research.checkpoint.com //
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.

The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file.

Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update.

Recommended read:
References :
  • isc.sans.edu: Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
  • BleepingComputer: Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
  • Tenable Blog: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
  • cyberinsider.com: Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Cisco Talos Blog: Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
  • borncity.com: Summarizes the Microsoft security updates for June 10, 2025, noting the zero-day classification.
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
  • hackread.com: June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day
  • CyberInsider: Summary of the June 2025 Patch Tuesday release.
  • research.checkpoint.com: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • : Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day
  • cyberscoop.com: Reports on Microsoft patching 66 vulnerabilities, including an actively exploited zero-day.
  • bsky.app: This month, Microsoft patched 67 vulnerabilities, including one actively exploited zero-days—CVE-2025-33053, a WebDAV RCE discovered by Check Point
  • : Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
  • www.helpnetsecurity.com: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • Kaspersky official blog: CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
  • thehackernews.com: Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
  • blog.checkpoint.com: Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
  • Check Point Blog: Inside Stealth Falcon's Espionage Campaign Using a Microsoft Zero-Day
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Blog: Microsoft’s June addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
  • go.theregister.com: Microsoft warns of 66 flaws to fix for this Patch Tuesday, and two are under active attack
  • arcticwolf.com: Arctic Wolf's blog covering the June 2025 Microsoft Patch Tuesday, mentioning CVE-2025-33053.
  • socprime.com: A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory.
  • www.bleepingcomputer.com: An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
  • arcticwolf.com: Arctic Wolf observes that Microsoft Patch Tuesday: June 2025 includes CVE-2025-33053.
  • Virus Bulletin: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • borncity.com: Microsoft Security Update Summary (June 10, 2025)
  • www.threatdown.com: June 2025 Microsoft Patch Tuesday fixes two zero-days
  • Arctic Wolf: Microsoft Patch Tuesday: June 2025
  • Help Net Security: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • thecyberexpress.com: Microsoft Patch Tuesday June 2025: One Zero-Day, Nine High-risk Flaws Fixed
  • infosecwriteups.com: (CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…
  • Action1: June 2025 Vulnerability Digest Recording

@blogs.microsoft.com //
Microsoft has launched the European Security Program (ESP), a new initiative aimed at significantly strengthening cybersecurity across Europe. The program provides critical resources to governments within the European Union, the United Kingdom, EU accession countries, and members of the European Free Trade Association. Microsoft Vice Chair Brad Smith unveiled the ESP in Berlin, emphasizing the need for enhanced cyber protection amidst growing sophistication and scope of cyber threats.

The ESP is a three-pronged strategy that includes AI-enhanced threat intelligence, direct collaboration with Europol, and automated disruption of malicious infrastructure. This program aims to counter the rising tide of cyberattacks from nation-state actors, specifically those originating from Russia, China, Iran, and North Korea. Microsoft is offering these AI-powered defense tools and threat intelligence resources free of charge, to the 27 EU nations.

By offering these resources, Microsoft intends to bolster digital sovereignty and address the operational complexities faced by European governments in defending against cyber threats. The initiative underscores Microsoft's commitment to sharing threat intelligence, strengthening cybersecurity capacity, and expanding partnerships to effectively disrupt malicious cyber activities. The free cyber security support will help European governments combat state-sponsored hackers as attacks continue to intensify across the continent.

Recommended read:
References :

Alex Simons@Microsoft Security Blog //
Microsoft is grappling with ongoing issues related to its Windows Updates, with another out-of-band patch released to address problems caused by a previous update. The May Patch Tuesday update had failed to install correctly on some Windows 11 virtual machines, leaving them in recovery mode with an "ACPI.sys" error. KB5062170 aims to resolve this boot error which affected Windows 11 23H2 and 22H2 systems, with the caveat that it does not fix a separate issue causing blurry CJK fonts in Chromium browsers at 100 percent scaling, requiring users to increase scaling to 125 or 150 percent as a workaround. The increasing frequency of these out-of-band fixes highlights ongoing challenges with Microsoft's quality control, impacting both consumer and enterprise users.

Alongside addressing update failures, Microsoft is actively developing AI capabilities and integrating them into its services. While specific details are limited, Microsoft is working towards building a "robust and sophisticated set of agents" across various fields and is looking at evolving identity standards. This future vision involves AI agents that can proactively identify problems, suggest solutions, and maintain context across conversations, going beyond simple request-response interactions. The company recently launched a public preview of its Conditional Access Optimizer Agent and is investing in agents for developer and operations workflows.

In the realm of cybersecurity, Microsoft Threat Intelligence has identified a new Russia-affiliated threat actor named Void Blizzard, active since at least April 2024. Void Blizzard is engaging in worldwide cloud abuse activity and cyberespionage, targeting organizations of interest to Russia in critical sectors such as government, defense, transportation, media, NGOs, and healthcare, primarily in Europe and North America. This discovery underscores the ongoing need for vigilance and proactive threat detection in the face of evolving cyber threats.

Recommended read:
References :
  • Microsoft Security Blog: Our industry needs to continue working together on identity standards for agent access across systems. Read about how Microsoft is building a robust and sophisticated set of agents.
  • Davey Winder: Microsoft has confirmed that Windows Update is changing — here's what you need to know.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024.

Brian Fagioli@BetaNews //
References: bsky.app , BetaNews , BleepingComputer ...
Microsoft is significantly expanding its cybersecurity support for European governments, providing a free security program specifically designed to combat AI-based cyberattacks. This initiative reflects Microsoft's commitment to bolstering the digital defenses of European nations. Furthermore, the company is actively addressing concerns related to competition within the European market, demonstrating a willingness to adapt to regulatory requirements and user preferences.

Microsoft is collaborating with CrowdStrike to harmonize cyber threat attribution. This partnership aims to establish a unified system for identifying and tracking cyber threat actors across different security platforms, which is designed to accelerate response times and strengthen global cyber defenses. The collaborative effort seeks to bridge the gaps created by differing naming systems for threat actors, creating a "Rosetta Stone" for cyber threat intelligence. This mapping will allow security teams to make informed decisions more quickly, correlate threat intelligence across sources, and disrupt malicious activity before it inflicts damage.

In response to Europe’s Digital Markets Act (DMA), Microsoft is making changes to the user experience within the European Economic Area. The company will reduce the frequency with which it prompts users to switch to Edge as their default browser. This change is intended to address complaints from rival browser makers and others who felt that Microsoft was unfairly pushing its own products. Europeans will also find it easier to uninstall the Windows Store and sideline Bing, offering greater control over their digital environment and aligning with the principles of the DMA, which aims to promote competition and user choice in the digital market.

Recommended read:
References :
  • bsky.app: While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups.
  • BetaNews: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks.
  • @VMblog: CrowdStrike and Microsoft announced a collaboration to bring clarity and coordination to how cyber threat actors are identified and tracked across...
  • BleepingComputer: Microsoft and CrowdStrike announced today that they've partnered to connect the aliases used for specific threat groups without actually using a single naming standard.
  • SecureWorld News: CrowdStrike and Microsoft Join Forces on Naming Threat Actors
  • www.cybersecuritydive.com: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
  • Source: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .
  • MSSP feed for Latest: Microsoft and CrowdStrike Align on Threat Actor Mapping to Support Faster, Unified Defense
  • Catalin Cimpanu: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies
  • betanews.com: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks. Now, Microsoft and CrowdStrike are teaming up to clean up the mess they helped create. The two companies just announced a joint effort to map their threat actor naming systems to each other.
  • www.crowdstrike.com: Cybersecurity writers, rejoice! The alliance will help the industry better correlate threat actor aliases without imposing a single naming standard. It will grow in the future to include other organizations that also practice the art of attribution.
  • www.microsoft.com: Announcing a new strategic collaboration to bring clarity to threat actor naming
  • www.scworld.com: Microsoft, CrowdStrike pitch giving threat groups the same name
  • www.cxoinsightme.com: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
  • CIO Dive - Latest News: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
  • The Hacker News: Microsoft and CrowdStrike are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping.
  • www.csoonline.com: The partnership creates a shared mapping system that aligns threat actor attribution across both companies’ intelligence ecosystems.
  • aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurityÂ
  • cyberscoop.com: CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution
  • www.itpro.com: Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change that
  • aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurity
  • Threats | CyberScoop: Wild variances in naming taxonomies aren’t going away, but a new initiative from the security vendors aims to more publicly address obvious overlap in threat group attribution.
  • www.techradar.com: Microsoft is looking to save precious seconds during cyberattacks by unifying threat actor naming.
  • ComputerWeekly.com: Microsoft outlines three-pronged European cyber strategy
  • CXO Insight Middle East: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
  • www.microsoft.com: Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity: Part 3
  • Thomas Roccia :verified:: Microsoft and CrowdStrike announced a collaboration to cross-ref their threat actor naming conventions.
  • TechHQ: Microsoft rolls out free cybersecurity support for European governments.

@blog.checkpoint.com //
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.

Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals.

In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats.

Recommended read:
References :
  • www.microsoft.com: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  • Catalin Cimpanu: Mastodon: The developers of the Lumma Stealer malware are making significant efforts to restore servers and return online.

@securityonline.info //
Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.

This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs.

EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development.

Recommended read:
References :
  • Virus Bulletin: Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns that trick users into executing a malicious PowerShell script. EDDIESTEALER is hosted on multiple adversary-controlled web properties.
  • The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
  • www.scworld.com: ClickFix used to spread novel Rust-based infostealer
  • Anonymous ???????? :af:: “Prove you're not a robot†— turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
  • securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
  • malware.news: Cybersecurity researchers have identified a sophisticated malware campaign utilizing deceptive CAPTCHA interfaces to distribute EddieStealer, a Rust-based information stealing malware that targets sensitive user data across multiple platforms.
  • cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
  • : Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

info@thehackernews.com (The@The Hacker News //
A new Windows Remote Access Trojan (RAT) has been discovered that employs a novel technique to evade detection. The malware corrupts its own DOS and PE headers, making it significantly more difficult for security tools to analyze and reconstruct the malicious code. This method obstructs forensic analysis and allows the RAT to operate stealthily on compromised Windows machines for extended periods, in some cases, for weeks before being detected. The FortiGuard Incident Response Team conducted a detailed investigation into this malware.

The Fortinet team managed to obtain a memory dump of the live malware process (dllhost.exe process PID 8200) and a complete 33GB memory dump of the compromised system. By meticulously replicating the compromised environment, they were able to revive the dumped malware in a controlled setting. This allowed them to observe its operations and communication patterns. The researchers had to manually identify the malware's entry point, allocate memory, and resolve API addresses through debugging, address relocation, and parameter adjustments to emulate the malware's behaviour in a lab setting.

Once operational, the malware was found to communicate with a command-and-control (C2) server at rushpaperscom over port 443, utilizing TLS encryption. Fortinet analysts identified the malware's use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic, along with an additional layer of custom encryption. Analysis confirms that the malware is a RAT, allowing attackers to capture screenshots, manipulate system services, and establish connections with other clients.

Recommended read:
References :
  • ciso2ciso.com: New Malware Spotted Corrupts Its Own Headers to Block Analysis – Source:hackread.com
  • hackread.com: New Windows Malware Spotted Corrupts Its Own Headers to Block Analysis
  • The Hacker News: New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers
  • ciso2ciso.com: The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks.

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

@www.helpnetsecurity.com //
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents

Ddos@securityonline.info //
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.

These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.

Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.

Recommended read:
References :
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • cyberpress.org: TAG-110 Hackers Use Malicious Word Templates for Targeted Attacks
  • : TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
  • securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
  • The Hacker News: The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

@www.microsoft.com //
References: cyberinsider.com , Dan Goodin , medium.com ...
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.

Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.

The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now.

Recommended read:
References :
  • cyberinsider.com: Microsoft has begun integrating post-quantum cryptography (PQC) into Windows Insider builds, marking a critical step toward quantum-resilient cybersecurity. Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility with …
  • Dan Goodin: Microsoft is updating Windows 11 with a set of new encryption algorithms that can withstand future attacks from quantum computers in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history.
  • Red Hat Security: In their article on post-quantum cryptography, Emily Fox and Simo Sorce explained how Red Hat is integrating post-quantum cryptography (PQC) into our products. PQC protects confidentiality, integrity and authenticity of communication and data against quantum computers, which will make attacks on existing classic cryptographic algorithms such as RSA and elliptic curves feasible. Cryptographically relevant quantum computers (CRQCs) are not known to exist yet, but continued advances in research point to a future risk of successful attacks. While the migration to algorithms resistant against such
  • medium.com: Post-Quantum Cryptography Is Arriving on Windows & Linux
  • www.microsoft.com: The recent advances in quantum computing offer many advantages—but also challenge current cryptographic strategies. Learn how FrodoKEM could help strengthen security, even in a future with powerful quantum computers. The post first appeared on .
  • arstechnica.com: For the first time, new quantum-safe algorithms can be invoked using standard Windows APIs.

info@thehackernews.com (The@The Hacker News //
A critical privilege escalation vulnerability has been discovered in the delegated Managed Service Account (dMSA) feature of Windows Server 2025's Active Directory. This flaw, dubbed "BadSuccessor," allows attackers with minimal permissions, specifically the ability to create objects inside an Active Directory organizational unit, to gain control over any user in the Active Directory domain, including Domain Admins. The vulnerability stems from improper permission handling during dMSA migration, where unauthorized users can simulate a migration process and inherit permissions of other accounts, even those with Domain Admin privileges. Security researchers have detailed that only write permissions over the attributes of a dMSA are required to execute this attack.

Microsoft has acknowledged the "BadSuccessor" issue in Windows Server 2025 but has rated it as moderate severity, sparking disagreement from security researchers who believe it poses a significant risk. Currently, there is no official patch available from Microsoft to address this vulnerability. This lack of an immediate patch has led security firms such as Akamai to document the privilege escalation flaw, emphasizing the potential for attackers to fully compromise an Active Directory domain by exploiting the dMSA feature. Akamai researchers found that in 91% of the environments they examined, users outside the domain admins group had the required permissions to perform this attack.

Organizations utilizing Active Directory are strongly advised to be aware of this vulnerability and actively monitor for suspicious activity related to dMSA objects. Security researchers are suggesting workarounds to mitigate the risk until Microsoft releases a formal patch. The core of the attack involves abusing the dMSA feature to elevate privileges, highlighting the importance of carefully reviewing and restricting permissions related to dMSA creation and management. Furthermore, the discovery of this vulnerability emphasizes the need for organizations to stay informed about the latest security research and apply necessary security measures to protect their Active Directory environments.

Recommended read:
References :
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • Davey Winder: New Windows Server 2025 Attack Compromises Any Active Directory User
  • The Hacker News: Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise
  • www.csoonline.com: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover
  • Help Net Security: A privilege escalation vulnerability in Windows Server 2025 can be used by attackers to compromise any user in Active Directory (AD), including Domain Admins.
  • hackplayers: BadSuccessor: escalada de privilegios abusando de dMSA en Active Directory
  • www.helpnetsecurity.com: Unpatched Windows Server vulnerability allows full domain compromise
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • thecyberexpress.com: Active Directory dMSA Privilege Escalation Attack Detailed by Researchers
  • borncity.com: BadSuccessor: Abusing dMSA to elevate privileges in Active Directory
  • www.scworld.com: Details - Cyber Security News
  • hackread.com: BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover
  • Assura, Inc.: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • www.assurainc.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • ciso2ciso.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025 – Source: securityboulevard.com
  • securityboulevard.com: Cyber Heads Up: “BadSuccessorâ€â€”A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
  • gbhackers.com: SharpSuccessor PoC Released to Weaponize Windows Server 2025 BadSuccessor Flaw
  • cyberpress.org: SharpSuccessor: Weaponizing Windows Server 2025 BadSuccessor Vulnerability
  • securityonline.info: Windows Server 2025 “BadSuccessor” Flaw Allows Domain Takeover (PoC Available, No Patch)
  • securityonline.info: Akamai security researcher Yuval Gordon has uncovered an Active Directory privilege escalation vulnerability in Windows Server 2025, revealing
  • Cyber Security News: Critical privilege escalation vulnerability in Windows Server 2025’s Active Directory infrastructure has been weaponized through a new proof-of-concept tool called SharpSuccessor
  • : A critical privilege escalation vulnerability in Windows Server 2025’s delegated Managed Service Account (dMSA) feature enables attackers to compromise Active Directory domains using tools like SharpSuccessor.
  • SOC Prime Blog: BadSuccessor Detection: Critical Windows Server Vulnerability Can Compromise Any User in Active Directory

@arstechnica.com //
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.

Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice.

Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers.

Recommended read:
References :
  • security ? Ars Technica: “Microsoft has simply given us no other option,†Signal says as it blocks Windows Recall
  • The Register - Software: Signal shuts the blinds on Microsoft Recall with the power of DRM
  • www.techradar.com: Signal blasts Microsoft over Recall privacy failings, as secure messaging app is forced to fudge a way of blocking the controversial Windows 11 feature
  • Dropsafe: By Default, Signal Doesn’t Recall | Signal Windows app leverages DRM content protection hacks to hide messages from Windows Recall
  • Dan Goodin: Signal writes: "We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement “one weird trick†in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either."
  • www.bleepingcomputer.com: Signal now blocks Microsoft Recall screenshots on Windows 11
  • CyberInsider: Signal Deploys Countermeasure to Shield Messages from Windows Recall
  • securityaffairs.com: New Signal update stops Windows from capturing user chats
  • Schneier on Security: Signal Blocks Windows Recall
  • cyberinsider.com: Signal Deploys Countermeasure to Shield Messages from Windows Recall

Dhara Shrivastava@cysecurity.news //
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.

The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.

M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.

Recommended read:
References :
  • The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
  • The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
  • BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
  • ComputerWeekly.com: M&S cyber attack disruption likely to last until July
  • BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
  • socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.

@www.eweek.com //
Microsoft is embracing the Model Context Protocol (MCP) as a core component of Windows 11, aiming to transform the operating system into an "agentic" platform. This integration will enable AI agents to interact seamlessly with applications, files, and services, streamlining tasks for users without requiring manual inputs. Announced at the Build 2025 developer conference, this move will allow AI agents to carry out tasks across apps and services.

MCP functions as a lightweight, open-source protocol that allows AI agents, apps, and services to share information and access tools securely. It standardizes communication, making it easier for different applications and agents to interact, whether they are local tools or online services. Windows 11 will enforce multiple security layers, including proxy-mediated communication and tool-level authorization.

Microsoft's commitment to AI agents also includes the NLWeb project, designed to transform websites into conversational interfaces. NLWeb enables users to interact directly with website content through natural language, without needing apps or plugins. Furthermore, the NLWeb project turns supported websites into MCP servers, allowing agents to discover and utilize the site’s content. GenAIScript has also been updated to enhance security of Model Context Protocol (MCP) tools, addressing vulnerabilities. Options for tools signature hashing and prompt injection detection via content scanners provide safeguards across tool definitions and outputs.

Recommended read:
References :
  • Ken Yeung: AI Agents Are Coming to Windows—Here’s How Microsoft Is Making It Happen
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11
  • www.marktechpost.com: Critical Security Vulnerabilities in the Model Context Protocol (MCP): How Malicious Tools and Deceptive Contexts Exploit AI Agents
  • GenAIScript | Blog: MCP Tool Validation
  • Ken Yeung: Microsoft’s NLWeb Project Turns Websites into Conversational Interfaces for AI Agents
  • blogs.microsoft.com: Microsoft Build 2025: The age of AI agents and building the open agentic web
  • www.eweek.com: Microsoft’s Big Bet on AI Agents: Model Context Protocol in Windows 11

@www.bleepingcomputer.com //
Cybercriminals have been actively distributing trojanized versions of the KeePass password manager for at least eight months, leading to significant security breaches. These malicious versions are designed to install Cobalt Strike beacons, steal stored credentials, and ultimately deploy ransomware on compromised networks. The attacks often begin with users downloading fake KeePass installers promoted through malicious advertisements on search engines like Bing and DuckDuckGo, which redirect victims to lookalike websites.

Once installed, the trojanized KeePass variants, sometimes referred to as "KeeLoader," function as both a credential stealer and a loader for additional malware. These altered versions export the password database in clear text, relaying it to attackers via the Cobalt Strike beacon. This allows the cybercriminals to gain unauthorized access to sensitive networks, VPNs, and cloud services. The compromised credentials enable attackers to deploy ransomware payloads, often targeting VMware ESXi servers to encrypt datastores, disrupting operations and demanding ransom payments.

Researchers at WithSecure have uncovered that the attackers modify the open-source KeePass code, embedding malicious functionality directly into the application. This makes the altered KeePass builds difficult to detect as they retain all legitimate functionalities while secretly logging credentials and exporting them as CSV files. The use of valid, trusted code-signing certificates further helps the malicious versions evade detection. Security experts emphasize the importance of downloading software only from official websites and verifying the application's authenticity to avoid falling victim to these sophisticated attacks.

Recommended read:
References :
  • BleepingComputer: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
  • securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
  • The DefendOps Diaries: Revised Analysis of KeePass Exploitation and Ransomware Deployment
  • www.bleepingcomputer.com: Fake KeePass password manager leads to ESXi ransomware attack
  • cyberinsider.com: KeePass Clone Used for Deploying Malware and Stealing Credentials
  • BleepingComputer: Fake KeePass password manager leads to ESXi ransomware attack
  • www.helpnetsecurity.com: Trojanized KeePass opens doors for ransomware attackers
  • www.scworld.com: 'Textbook identity attack' dropped ransomware via fake KeePass site
  • www.techradar.com: Hackers are distributing a cracked password manager that steals data, deploys ransomware
  • bsky.app: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
  • securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
  • Help Net Security: Trojanized KeePass opens doors for ransomware attackers

@www.csoonline.com //
A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.

The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures.

This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'.

Recommended read:
References :
  • The DefendOps Diaries: Explore how the Defendnot tool exploits Windows vulnerabilities to disable Microsoft Defender, highlighting cybersecurity challenges.
  • BleepingComputer: New 'Defendnot' tool tricks Windows into disabling Microsoft Defender
  • www.csoonline.com: Windows Defender can be tricked into disabling itself by faking the presence of another antivirus solution–a behavior that threat actors can abuse to run malicious code without detection.
  • www.scworld.com: Microsoft Defender deactivated by new tool
  • borncity.com: Windows 10/11: Defender can be deactivated with a simple tool (Defendnot)
  • www.techradar.com: Hackers can turn off Windows Defender with this sneaky new tool