A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.

In November 2024, U.S. prosecutors 24-year-old Tyler Robert Buchanan and four other suspects of stealing at least $8 million in cryptocurrency after hacking at least a dozen companies through text-message phishing attacks between September 2021 and April 2023.

The list of breached organizations includes companies from a wide range of industries, such as entertainment, telecommunications, technology, business process outsourcing (BPO), and information technology (IT) suppliers, as well as cloud communications providers, virtual currency providers, and individuals.

"As part of the scheme, Buchanan and his co-conspirators conducted Short Message Service (SMS) phishing attacks by sending hundreds of SMS phishing messages to the mobile telephones of a victim company's employees. The messages purported to be from the victim company or a contracted IT or BPO supplier for the victim company," the Justice Department .

"The SMS phishing messages contained links to phishing websites designed to look like legitimate websites of a victim company or a contracted IT or BPO supplier. The websites then lured the recipient into providing confidential information, including personal identifying information (PII), and account usernames and passwords."

According to , they used the stolen information to hijack the victims' email accounts in SIM swap attacks, allowing them to gain control of their phone numbers and virtual currency wallets and transfer millions to wallets they controlled.

Buchanan in June 2024 in Palma de Mallorca, Spain, has been in U.S. federal custody since April 2025, and will be sentenced on August 21, 2026, facing a statutory maximum sentence of 22 years in prison.

Three of his accomplices (Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans) were also charged in November 2024 with wire fraud, wire fraud conspiracy, and aggravated identity theft and are facing up to 20 years in federal prison if found guilty.

Noah Michael Urban (known online as Sosa and Elijah), a fourth conspirator and another key member of the Scattered Spider cybercrime collective, after to wire fraud and conspiracy charges one year ago.

The Scattered Spider hacking collective

Also tracked as , , , Starfraud, , and , the Scattered Spider gang is a loose-knit group of English-speaking threat actors (as young as 16) that orchestrates attacks using Telegram channels, Discord servers, and hacker forums.

, they're using various tactics to breach corporate networks, including social engineering, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping.

Some Scattered Spider members are also believed to be part of "the Com," another hacking collective linked to violent incidents and cyberattacks.

Since the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including , , and .

In July 2024, UK police also , believed to have been involved in the 2023 MGM Resorts ransomware attack. Other high-profile attacks linked to this cybercrime group include breaches at , , , , , and .

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.

Ransomware and other cyberthreats often dominate conversations about data loss, but they are not the only risks businesses face. Everyday issues such as hardware failures, accidental deletions and power outages can bring operations to a halt just as quickly.

The countermeasure businesses adopt is backing up their data. The assumption is simple — if data is saved, it can be restored. But this overlooks a critical factor. Backup does not keep a business running during a disruption. It only helps recover after the damage is done.

That gap is where the real risk lies. When systems are down, employees can’t work, customers can’t access services and revenue stops immediately. According to research by Oxford Economics, , or $540,000 per hour.

At that scale, even short interruptions are no longer acceptable. Organizations need more than data protection. They need business continuity.

In this article, we’ll look at how relying solely on backups leaves organizations exposed — and why a comprehensive business continuity and disaster recovery (BCDR) strategy is essential to keep operations running.

The growing gap between backup and recovery

Many small businesses are protected on paper, but not in practice. The issue is not whether data is backed up, but rather how quickly that data can be restored — and whether the business can function during that process.

The by Datto, a Kaseya company, found that more than 60% of organizations believed they could recover in under a day. However, in practice, only 35% achieved that during real downtime events.

A common misconception among small businesses is that backup equals protection.

Imagine a ransomware attack encrypts a company’s systems.

With a traditional backup setup, the response is straightforward. Identify the breach, wipe affected systems and begin restoring data from backups. Depending on the size of the environment, this process can take hours or even days.

Now consider the same situation with a BCDR solution in place.

Instead of waiting for full restoration, systems can be quickly spun up from recent backups, often within minutes. Operations continue in a virtualized environment while the primary systems are restored in the background. The disruption is contained, and the business continues to run.

This is the gap many businesses overlook. Backup is designed to store and retrieve data while BCDR is designed to maintain operations.

Ransomware, cloud sprawl, and human error are putting data at risk.

See what 3,000+ IT and security pros reveal about today’s biggest threats, backup gaps, and how MSPs can strengthen cyber resilience across hybrid environments.

The cost of downtime

To better understand the cost of downtime, consider the following example. Let’s say your business has 100 employees, the average hourly revenue is $1,500 and the backup data set is 2 TB. Given these parameters, a full restore from a local backup using traditional backup software could take more than eight hours. The associated downtime would cost approximately $34,000 in lost revenue.

Beyond direct losses, downtime also affects reputation. Customers expect consistent access to services. When systems are unavailable, trust is affected. Delays, failed transactions and lack of access create friction that can push customers toward competitors. For service-based businesses, even a single disruption can lead to long-term client loss.

This is why business continuity is now a baseline requirement. It’s part of how businesses maintain operations and protect customer relationships.

The right BCDR solution

Modern BCDR solutions allow systems to stay available through failover and rapid recovery, limiting financial losses and disruption.

Hybrid cloud backup is one of the most effective approaches. By combining local and cloud-based recovery, it delivers both speed and flexibility. Local backups provide near-instant recovery for common issues, while cloud replication protects against larger incidents such as ransomware or infrastructure failures.

If local systems are compromised by a ransomware attack, clean and isolated copies of data remain available in the cloud. Recovery does not depend on paying a ransom or negotiating access. The business retains control.

That continuity is what defines a strong BCDR solution. Datto BCDR is built around this principle, delivering the speed to recover from everyday disruptions and the reliability to handle larger failures without adding complexity for your business or clients.

Turning BCDR into a growth opportunity

BCDR supports long-term growth for MSPs by supporting a recurring service model. At a time when it’s challenging to acquire new customers, this matters more than ever. The by Kaseya found that 71% of MSPs consider acquiring new customers their biggest challenge.

This makes expanding services within existing accounts far more valuable. In this context, BCDR stands out as a category with steady adoption and strong growth, creating a clear opportunity for MSPs to build consistent revenue while strengthening client relationships.

How to have a winning BCDR sales conversation

Clients understand data loss. They can picture files disappearing. What they struggle to grasp is downtime and its impact on revenue and reputation. That gap often leads to underinvestment, with clients settling for basic backup and assuming they’re covered.

To bridge this gap, MSPs need to change how they frame the conversation.

Shift the conversation from technology to business impact

Most clients don’t think in terms of backup frequency or storage capacity. They think about whether their business can continue operating.

Instead of focusing on features, focus on outcomes:

• What happens if systems are unavailable for three hours?

  • How much revenue is lost during that time?

  • How many employees are unable to work?

  • How long will it take to fully recover?

When framed this way, the discussion moves away from IT spend and toward business continuity. Tools like can help quantify this impact. When clients see downtime expressed in financial terms, the value of BCDR becomes clearer.

Make recovery concepts easy to understand

Technical terms like recovery time objective (RTO) and recovery point objective (RPO) can create confusion if introduced too early.

Start with simple questions:

• If your systems are down for a full day, can your business operate?

  • If you lose a day of data, what does that mean for revenue and customer commitments?

Then connect those answers to recovery metrics. Real scenarios help reinforce this. For example, if a business backs up data once per day and an incident occurs just before the next backup, all recent work is lost. For most organizations, that level of loss is not acceptable.

Taking the next step

Building and communicating a strong BCDR strategy requires the right tools and a clear way to show clients what is at stake and how to address it.

This walks through this step by step. It includes practical examples, case studies and strategies that show how to position business continuity, quantify its value and turn it into a service clients understand and adopt.

and start building a continuity strategy that works for both you and your clients.

Sponsored and written by .*

Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers.

The tool is highly popular in the Node Package Manager (npm) registry, with an average of nearly . It is used for inter-service communication, in real-time applications, and for efficient storage of structured data in databases and cloud environments.

In a report on Friday, application security company Endor Labs says that the remote code execution vulnerability (RCE) in protobuf.js is caused by unsafe dynamic code generation.

The security issue has not received an official CVE number and is currently being tracked as GHSA-xq3m-2v4x-88gg, the identifier assigned by GitHub.

that the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but it fails to validate schema-derived identifiers, such as message names.

This lets an attacker supply a malicious schema that injects arbitrary code into the generated function, which is then executed when the application processes a message using that schema.

This opens the path to RCE on servers or applications that load attacker-influenced schemas, granting access to environment variables, credentials, databases, and internal systems, and even allowing lateral movement within the infrastructure.

The attack could also affect developer machines if those load and decode untrusted schemas locally.

The flaw impacts protobuf.js versions 8.0.0/7.5.4 and lower. Endor Labs recommends upgrading to 8.0.1 and 7.5.5, which address the issue.

The patch sanitizes type names by stripping non-alphanumeric characters, preventing the attacker from closing the synthetic function. However, Endor comments that a longer-term fix would be to stop round-tripping attacker-reachable identifiers through Function at all.

Endor Labs is warning that “exploitation is straightforward,” and that the minimal proof-of-concept (PoC) included in the reflects this. However, no active exploitation in the wild has been observed to date.

The vulnerability was reported by Endor Labs researcher and security bug bounty hunter on March 2, and the protobuf.js maintainers released a patch on GitHub on March 11. Fixes to the npm packages were made available on April 4 for the 8.x branch and on April 15 for the 7.x branch.

Apart from upgrading to patched versions, Endor Labs also recommends that system administrators audit transitive dependencies, treat schema-loading as untrusted input, and prefer precompiled/static schemas in production.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.

The new release adds automated replication, support for newer VMware vSphere and Proxmox versions, and modern authentication for faster, safer recovery.

Sparks, Nevada – April 3rd, 2026 – NAKIVO Inc., trusted by over 16,000 organizations in 191 countries, announced the general availability of , focused on fast, reliable, and proactive data protection.

As ransomware attacks evolve and downtime costs rise, v11.2 provides IT teams with tools to quicken recovery, support next-generation infrastructure, and maintain secure data protection without added complexity.

Automated Real-Time Replication

At the core of v11.2 is an automated real-time replication engine. It keeps replica VMs synchronized with production workloads, allowing organizations to fail over to a recent replica within minutes after hardware failures, ransomware, or human error.

For businesses where every minute of downtime carries measurable financial or reputational consequences, this capability closes one of the most dangerous blind spots in traditional backup strategies: The window between the last scheduled job and the moment of failure.

Support for VMware vSphere 9 and Proxmox VE 9.0 and 9.1

Keeping your backup stack aligned with hypervisor versions is mission-critical for teams managing VMware, Proxmox, or hybrid environments. NAKIVO Backup & Replication v11.2 addresses that directly while also tightening security and laying the groundwork for faster disaster recovery.

Full VMware vSphere 9 Support

The most significant update for VMware administrators: v11.2 delivers complete, production-ready support for vSphere 9, including vCenter Server 9.0.1.0, ESXi 9.0.1.0, and VDDK 9.0.1.0.

Earlier builds introduced initial compatibility, but v11.2 provides full readiness, enabling teams to upgrade their VMware infrastructure with confidence that NAKIVO will operate without disrupting existing jobs.

All core capabilities are fully operational under vSphere 9:

• Agentless image-based backup and replication using Changed Block Tracking (CBT) for efficient, low-impact incrementals

  • Instant VM recovery to restore workloads in minutes, not hours

  • Granular file-level and application-object recovery for Exchange and SQL workloads, without restoring the entire VM

  • Built-in DR orchestration with failover, failback, and non-disruptive testing via Site Recovery

  • Ransomware resilience through immutable backups, AES-256 encryption, air-gapped copies, and pre-recovery malware scanning

  • Fast, deduplicated, compressed backups to minimize storage footprint across repositories

For organizations tracking the licensing shift away from standalone vSphere Standard and Enterprise Plus editions toward VMware vSphere Foundation 9.0, this update ensures NAKIVO keeps pace with where VMware is heading.

NAKIVO v11.2: OAuth 2.0 authentication, immutable backups, real-time replication, and ransomware resilience.

Stay ahead of evolving cyber threats with enterprise-grade security.

Proxmox VE 9.0 Support, with 9.1 Already in Scope

NAKIVO's Proxmox support continues to mature. v11.2 brings full compatibility with Proxmox VE 9.0, and support for Proxmox VE 9.1 is already built in, letting Proxmox environments upgrade without risking protection gaps.

For environments running Proxmox at the edge, in cost-sensitive production, or as a VMware alternative, the full feature set includes:

• Agentless host-level backup and replication with no guest agents required, keeping VM overhead minimal

  • Block-level incrementals via native change tracking, matching the efficiency of CBT in VMware environments

  • Instant VM and file-level recovery for rapid restoration of individual machines or specific files

  • Automated verification with screenshot confirmation to validate recoverability without manual intervention

  • Immutable backups on S3-compatible and object storage targets, including AWS S3, Wasabi, Azure Blob, and Backblaze B2

  • AES-256 encryption at source, in transit, and at rest with air-gapped copy options via tape or detached storage

For hybrid environments running VMware and Proxmox side by side, NAKIVO's unified management interface provides a single workflow that covers both platforms, which matters as infrastructure grows in complexity.

Ransomware Defense Across the Board

Ransomware protection in v11.2 is integrated into the architecture rather than isolated as a single feature. Immutability is supported across a wide range of targets, including AWS S3, Wasabi, Azure Blob, Backblaze B2, HPE StoreOnce, NEC HYDRAstor, and Dell EMC Data Domain. Pre-recovery malware scanning catches threats before they re-enter production. Air-gapped options — tape, detached USB, or offline NAS — provide a last line of defense when network-connected copies are compromised.

"Our priority is to give customers a smooth and secure path forward as their environments evolve," said Bruce Talley, CEO of NAKIVO. "v11.2 focuses on compatibility, security, and consistent performance as virtualization platforms advance."

Matt Mitchell, Web Developer at SEHD at the University of Colorado Denver, said: "With NAKIVO Backup & Replication, I can recover VMware VMs within 10 minutes. With data deduplication, we were able to decrease storage space by 80%."

OAuth 2.0: Secure Email Notifications by Default

v11.2 introduces native OAuth 2.0 authentication for email notifications, replacing the deprecated basic authentication that major providers like Google Workspace and Microsoft 365 are actively phasing out.

The shift to token-based authentication removes stored plain-text credentials from the equation, delivering a meaningful compliance and security improvement, particularly for organizations under regulatory scrutiny.

HPE StoreOnce users gain full support for VSA Gen 5, improving deduplication appliance integration and repository performance. The platform has also been updated to Java SE 24 and the latest Spring Framework, delivering stability improvements, security patches, and incremental gains in backup and restore throughput — benefits that compound over time in high-frequency backup environments.

Enhanced MSP Direct Connect for Multi-Tenant Management

Managed service providers running multi-tenant environments gain efficiency through enhanced MSP Direct Connect. The updated interface provides single-pane visibility across multiple tenants, reducing overhead and accelerating response times.

For MSPs scaling their service portfolios, this improvement directly supports growth without a proportional increase in administrative burden.

The Bottom Line

NAKIVO Backup & Replication v11.2 is an operationally important release. It removes the compatibility friction that holds teams back from upgrading infrastructure, strengthens ransomware resilience, and tightens security in areas that are easy to overlook until they become a problem. For VMware administrators preparing for a vSphere 9 migration, Proxmox environments approaching a version upgrade, or any organization seeking to enhance recovery capabilities, v11.2 provides a robust foundation for operational stability.

Availability

NAKIVO Backup & Replication v11.2 is available now. Organizations can download the fully featured free trial at .

Resources:

About NAKIVO

NAKIVO is a US-based corporation dedicated to delivering the ultimate backup, ransomware protection, and disaster recovery solution for virtual, physical, cloud, and SaaS environments. Over 16,000 customers in 191 countries trust NAKIVO with protecting their data, including global brands like Coca-Cola, Honda, Siemens, and Cisco.

Visit:

Sponsored and written by .*

Microsoft is warning that a recent Microsoft Edge browser update introduced a bug that breaks right-click paste in chats in the Microsoft Teams desktop client.

In an advisory published on April 14, Microsoft says users are reporting that they are unable to paste URLs, text, or images into Teams chats when using right-click context menus, with the "Paste" option greyed out.

To work around the bug, Microsoft says users can still copy and paste content using keyboard shortcuts: Ctrl + C and Ctrl + V on Windows, or Cmd + C and Cmd + V on macOS.

"Impacted users report that they are unable to copy and paste URLs, text, and images in Microsoft Teams desktop client chats, as the paste option appears greyed out when using the right-click dropdown menu method," explains Microsoft.

"To bypass impact, we recommended that users attempt to copy the intended URLs, text, and images using Ctrl + C and paste using Ctrl + V for Windows, and corresponding Cmd + C and Cmd + V for Mac."

Microsoft says the bug is caused by a recent browser update that introduced a code regression in Microsoft Edge, which Microsoft Teams uses for certain functionality.

Admins on and the report that the problem is affecting users in corporate environments as well as individual users.

"I have multiple users on version 26072.519.4556.7438 experiencing this issue, including myself. Cannot right-click Paste, but CTRL+V and paste as text are allowed," an admin posted to the Microsoft Forums.

Paste option in Microsoft Teams is greyed out

Other users said that reinstalling Teams or clearing the cache did not fix the problem.

Microsoft says it identified the cause and is rolling out a fix in stages while monitoring telemetry to confirm that systems are recovering.

As of the latest update on April 16, Microsoft has not provided an exact timeline for when the fix will be fully rolled out.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.

Cyberattacks are evolving faster than many MSP and corporate defenses can keep up, with phishing now one of the primary drivers of modern cybercrime.

On Thursday, May 14, 2026 at 2:00 PM ET BleepingComputer will host a live webinar titled "**" with experts from Kaseya.

The webinar explores how today's attacks unfold and why security and backup strategies must work together to reduce risk and ensure recovery.

The session will examine how AI-powered phishing, business email compromise, and ransomware campaigns are becoming more targeted and harder to detect, often bypassing traditional security controls. Even when threats are identified, delays in response or gaps in recovery planning can turn a contained incident into a full-scale outage.

Kaseya, known for its MSP-focused security and backup solutions, helps service providers take a more integrated approach to cyber resilience. By combining prevention, detection, and rapid recovery, MSPs can better protect client environments and maintain business continuity when incidents occur.

In this webinar, attendees will gain practical insight into how attackers are exploiting trusted infrastructure and SaaS platforms, and how MSPs can adapt their strategies to stay ahead of increasingly sophisticated threats.

Security alone isn’t enough anymore

While preventing attacks remains critical, the reality is that not every threat can be stopped. Many MSPs discover too late that their security stack lacks the ability to respond quickly or recover effectively after a breach.

Modern attacks frequently move beyond initial access to data theft, account takeover, and ransomware deployment, making recovery capabilities just as important as detection.

This webinar will explore how integrating backup and disaster recovery into security strategies can significantly reduce downtime and limit the impact of an incident.

The upcoming webinar will cover:

• Why AI-driven phishing and brand impersonation are outpacing traditional email security

  • How attackers use trusted infrastructure and SaaS platforms to bypass defenses

  • Where MSP security strategies often fail after initial compromise

  • Why SaaS backups and BCDR planning are critical for cyber resilience

  • How leading MSPs combine prevention, detection, and rapid recovery

Don’t miss this opportunity to learn how to strengthen your MSP’s security posture and ensure your clients can recover quickly when incidents occur.

➡

The underground market for stolen credit card data has long operated as a volatile and highly deceptive ecosystem, where even experienced actors routinely fall victim to scams, exit schemes, and compromised services.

In recent years, this environment has become even more unstable, driven by increased law enforcement pressure, internal distrust among criminals, and the rapid turnover of marketplaces. As a result, threat actors are increasingly forced to adopt more structured approaches to identifying reliable suppliers and minimizing risk within their own illicit operations.

A guide found on an underground forum by analysts sheds light on how threat actors themselves navigate the volatile world of credit card (CC) marketplaces.

The document, titled “The Underground Guide to Legit CC Shops: Cutting Through the Bullshit”—provides a structured look at how actors attempt to reduce risk in an ecosystem plagued by scams, law enforcement infiltration, and short‑lived operations.

Analysis of the guide reveals more than just practical advice. It outlines a methodology for vetting carding shops, operational security practices, and sourcing strategies, effectively documenting how today’s fraud actors think about trust, reliability, and survivability.

While parts of the guide appear to promote specific services, suggesting a possible vested interest from its author, it still offers a valuable glimpse into the inner workings of the carding economy, and the evolving standards actors use to operate within it.

From Opportunistic Fraud to Supplier Vetting Discipline

One of the most striking aspects of the guide is how it reframes carding from opportunistic fraud into a process‑driven discipline. Rather than focusing on how to use stolen cards, the document emphasizes how to evaluate suppliers.

This shift reflects a broader evolution within underground markets, where the primary risk is no longer just operational failure, but being defrauded by other criminals or interacting with compromised infrastructure.

Screenshot from one of the recommended shops in the guide, named "CardingHub"

The author repeatedly stresses that legitimacy is not defined by branding or visibility, but by survivability. In other words, a “real” shop is one that continues operating over time despite law enforcement operations, scams, and internal instability.

This aligns with observed trends in underground economies, where the lifespan of marketplaces has become increasingly unpredictable, forcing actors to adopt continuous verification practices.

The guide makes it clear that what separates a “legitimate” shop from the rest isn’t branding or uptime, it’s the quality of the stolen data it delivers. References to “fresh bins” (BIN = Bank Identifiable Number) and low decline rates point directly to the sources behind the data, whether from infections, campaigns, or point-of-sale breaches. In this ecosystem, reputation isn’t built on promises but on consistently providing cards that actually work.

Shops that fail to maintain reliable data sources are quickly exposed, while those with steady access to fresh compromises rise to the top.

Carding actors are adopting disciplined workflows to source and test stolen financial data.

Flare continuously monitors underground forums and marketplaces, giving your team early visibility into exposed credentials, compromised cards, and emerging fraud infrastructure.

Building Trust in a Trustless Market

Transparency is another recurring theme. The guide highlights the importance of clear pricing models, real‑time inventory, and functional support systems, including ticketing and escrow services. These characteristics closely mirror legitimate e‑commerce platforms, underscoring how leading carding shops have adopted business practices designed to build user confidence and reduce friction.

Equally important is the role of community validation. The guide dismisses on‑site testimonials as unreliable, instead directing users toward discussions in closed or invite‑only forums. This reflects a broader fragmentation of the underground landscape, where trust is increasingly tied to controlled environments and long‑standing reputations.

Actors are encouraged to look for sustained discussion threads and historical presence, rather than isolated positive feedback.

The document also reveals a strong awareness of adversarial pressures. The emphasis on security‑first infrastructure, such as mirror domains, DDoS protection, and the absence of tracking mechanisms, suggests that operators are actively defending against both law enforcement monitoring and competing criminal groups.

In effect, these marketplaces function not only as distribution platforms, but as hardened environments designed to ensure operational continuity.

Screenshot from one of the recommended shops in the guide, named "CardingHub"

The Technical Checklist

Beyond high‑level principles, the guide introduces a step‑by‑step vetting protocol that provides insight into how threat actors conduct due diligence. Technical checks such as domain age, WHOIS privacy, and SSL configuration are presented as baseline requirements.

While these checks are relatively simple, they demonstrate an effort to apply structured analysis to what has historically been a trust‑based decision process.

The guide also highlights the importance of identifying mirror infrastructure and backup access points, noting that established operations rarely rely on a single domain. This reflects a practical understanding of the instability of underground services, where takedowns and disruptions are common. The presence of multiple access points is framed as an indicator of operational maturity and resilience.

Social intelligence gathering plays an equally significant role. Rather than relying on direct interactions with vendors, users are encouraged to analyze forum discussions, track vendor histories, and identify patterns of behavior over time.

Particular attention is given to detecting coordinated endorsement campaigns, such as multiple positive reviews originating from newly created accounts, a tactic frequently associated with scams.

Operational Security

Another critical component of the guide is its focus on operational security. The recommendations provided, while framed in the context of carding, closely mirror practices observed across a wide range of cybercriminal activities. Users are advised to avoid direct connections, utilize proxy services aligned with target geographies, and compartmentalize their environments through dedicated systems or virtual machines.

The discussion of cryptocurrency usage is particularly notable. The guide strongly discourages direct transactions from regulated platforms, instead advocating for intermediary wallets and privacy‑focused assets such as Monero. This reflects a growing awareness among threat actors of blockchain analysis capabilities and the risks associated with traceable financial flows.

Taken together, these OPSEC recommendations highlight an important shift: actors are no longer relying solely on tools to evade detection, but are adopting layered strategies designed to reduce exposure across the entire operational chain. This level of discipline suggests that even mid‑tier actors are increasingly adopting practices once associated with more advanced threat groups.

Scale vs. Exclusivity

The guide further categorizes carding shops into distinct operational models, including large automated platforms and smaller, curated vendor groups. This segmentation reflects the diversification of the underground economy, where different actors prioritize scale, accessibility, or quality depending on their objectives.

Automated platforms are described as highly efficient environments, often featuring integrated tools and instant purchasing capabilities. These operations resemble legitimate online marketplaces in both structure and functionality, enabling users to quickly acquire and test data at scale.

In contrast, boutique vendor groups emphasize exclusivity, higher quality, and controlled access, often relying on invitation‑based systems and long‑term relationships.

Commercial Interests and Operational Reality

Despite its structured approach, the guide is not without bias. The inclusion of a direct endorsement for a specific platform suggests that the author may have a vested interest in promoting certain services. This is a common pattern in underground communities, where informational content is often used as a vehicle for subtle advertising or affiliate activity.

Such endorsements should be viewed with caution. However, they do not necessarily invalidate the broader insights provided by the guide. Instead, they highlight the complex interplay between information sharing and commercial interests within cybercriminal ecosystems.

From a defensive perspective, the guide offers valuable intelligence into how threat actors assess risk and make operational decisions. The emphasis on verification, community validation, and layered security reflects a level of maturity that complicates traditional disruption efforts. Rather than relying on single points of failure, actors are increasingly building redundancy and adaptability into their workflows.

Ultimately, the document serves as both a playbook and a signal. It demonstrates that the carding ecosystem became more structured, more cautious, and more resilient. For defenders, understanding these dynamics is critical to anticipating how these markets will continue to evolve, and where opportunities for disruption may still exist.

How Flare Can Help

Flare helps organizations stay ahead of fraud by continuously monitoring underground forums and marketplaces, revealing how threat actors source, vet, and use stolen credit card data. This provides early insight into attacker behavior, including how they optimize success rates, build trust, and adapt to defenses.

By turning this intelligence into actionable insights, Flare enables security teams to detect exposures, anticipate fraud campaigns, and disrupt attacker workflows-shifting from reactive response to proactive, intelligence-driven defense.

.

Sponsored and written by .*

A new cybercrime platform called ATHR can harvest credentials via fully automated voice phishing attacks that use both human operators and AI agents for the social engineering phase.

The malicious operation is advertised on underground forums for $4,000 and a 10% comission from profits, and can steal login data for multiple services, including Google, Microsoft, and Coinbase.

Automation covers the entire telephone-oriented attack delivery (TOAD) stages, from luring targets over email to conducting voice-based social engineering and harvesting account credentials.

ATHR attack chain

According to researchers at cloud email security company Abnormal, ATHR is a complete phishing/vishing attack generator that offers brand-specific email templates, per-target customization, and spoofing mechanisms to make it appear as if the message originates from a trusted sender.

At the time of their analysis, the researchers observed that ATHR supported eight online services: Google, Microsoft, Coinbase, Binance, Gemini, Crypto.com, Yahoo, and AOL.

The attack starts with the victim receiving an email crafted to pass casual verification and even technical authentication checks.

"The lure is typically a fake security alert or account notification - something urgent enough to prompt a phone call but generic enough to avoid triggering content-based filters," in a report today.

Calling the phone number in the email routes the victim through Asterisk and WebRTC to AI voice agents driven by carefully crafted prompts that guide the victim through the data theft process.

The agents follow a multi-step script simulating a security incident. For Google accounts, they replicate the account recovery and verification process, using preset prompts that shape their tone, approach, persona, and behavior to mimic professional support staff.

ATHR's AI agent script builder tool Source: Abnormal

The purpose of the fake recovery process is to extract a six-digit verification code that allows the attacker to gain access to the victim's account.

Although ATHR does offer the option to route the call to a human operator, the ability to use an AI agent is what sets it apart.

ATHR's dashboard gives operators control over the entire process and real-time data for each attack per target.

Through the ATHR panel, they control email distribution, handle calls, and manage phishing operations, monitoring outcomes in real time and receiving logs containing the stolen data.

ATHR main dashboard Source: Abnormal

Researchers at Abnormal warn that ATHR significantly reduces the manual effort for the operator and provides threat actors with an integrated platform that can handle all stages of a TOAD attack without the need to configure individual components.

This allows less technical attackers with no infrastructure to deploy automated vishing attacks from start to finish.

"The shift from a fragmented, manually intensive operation to a productized, largely automated one means TOAD attacks no longer require large teams or specialized infrastructure," Abnormal warns.

With the rise of ATHR-like cybercrime platforms, the researchers expect vishing attacks to become more frequent and more difficult to distinguish from legitimate communications.

Defending against such attacks requires a different approach, since the lure emails carry no reliable indicators, are customized to authenticate correctly, and appear as valid notifications.

However, detection is possible by checking the communication behavioral patterns between a sender and a recipient, and identifying if similar lures containing a phone number reached the organization within a short time frame.

Abnormal researchers say that modeling normal communication behavior across the organization can help AI-powered detection flag anomalies before targets make a call.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update.

BitLocker is a Windows security feature that encrypts storage drives to prevent data theft. Windows computers typically enter BitLocker recovery mode after hardware changes or events such as TPM (Trusted Platform Module) updates, to regain access to protected drives that have not been unlocked via the default unlock mechanism.

"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft .

"In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."

However, as the company explained, this only happens for very specific configurations, on systems where all the following conditions are met:

1. $1

   2. $1

   3. $1

   4. $1

   5. $1

Microsoft added that this known issue is unlikely to affect personal devices, as impacted configurations are typically found on systems managed by enterprise IT teams.

BitLocker recovery screen (Microsoft)

​The company is now working on a solution to this issue and has shared temporary workarounds that allow installation of this month's security updates.

Admins are advised to remove the Group Policy configuration before deploying the KB5082063 update, and to ensure that BitLocker bindings use the PCR7 profile by following .

Those who can't remove the PCR7 group policy before installing can apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager and to avoid triggering BitLocker recovery.

In May 2025, Microsoft to address a similar issue that was causing Windows 10 systems to boot into BitLocker recovery after installing the May 2025 security updates.

One year earlier, in August 2024, Microsoft triggering BitLocker recovery prompts across all supported Windows versions after .

In August 2022, Windows devices after installing the .

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Author: Ben Wilkens, cybersecurity principal engineer, NMFTA

When they see an 80,000-pound vehicle rolling down the highway at 65 miles per hour, the first thing most people think about is not cybersecurity.

The fact is, these massive vehicles are rolling networks packed with a wide range of communications systems, onboard sensors, cloud connected devices, and Wi-Fi signals. In other words, these mobile assets are loaded with potential attack surfaces.

Trucking is the backbone of one of the critical infrastructure sectors that is central to daily life in North America.

Trucks bring the fuel to our power stations, the medicine to our hospitals; they transport the food to our grocery stores and the fuel to our gas stations. Without trucks, many of these critical supplies run out within three days.

Cybercriminals have realized that this places an enormous amount of pressure on trucking and logistics companies to maintain 100% uptime, and they leverage this with ransomware and extorsion attacks every day.

This is the threat landscape that those working in cybersecurity in the transportation sector, from offensive security practitioners hunting for ways to penetrate the onboard systems that keep these vehicles rolling, to defenders securing the enterprises that support them, see when they look at trucks on the highway.

Atypical Threat Vectors

The threats posed by cybercrime in the transportation sector do not end with traditional cyberattacks. take traditional cyberattack techniques and use them to facilitate the theft of physical cargo.

In 2025 alone there was over $725 Million in reported cargo theft losses according to a recent study from .

These cargo thieves take advantage of lapses in operational security, physical security and cybersecurity with laser-precision to impersonate legitimate brokers and carriers, steal credentials to freight booking sites (“load boards”), and con shippers and freight brokers into releasing freight to bad actors posing as legitimate truck drivers.

Take for example the theft of over $1 million dollars of last Fall; Organized criminals using fabricated identities built a relationship with a freight broker by legitimately hauling multiple loads to build trust.

Once they had established this trust, they targeted this high value shipment by spoofing the GPS signals of onboard tracking devices while they hauled these two loads to their own facilities and they were able to make off with two entire truckloads of rare tequila before the theft was even detected.

Many legitimate drivers are also duped into hauling cargo to warehouses operated by criminals using the stolen digital identities of legitimate freight brokers.

Once delivered to the criminal’s warehouse by this unwitting accomplice, the freight is broken down into numerous other shipments and resold to unsuspecting customers or on the black market or even “Amazon like” store fronts.

Join security practitioners, motor carriers, and technology leaders at NMFTA’s Cybersecurity Conference on September 29 through October 2, 2026 in Long Beach, CA.

Attendees will learn about real-world insights and strategies to protect connected freight systems.

The Good News Story

There is a good new story here too though; due to the fact that traditional cyberattack techniques are the primary methods of attack; core cybersecurity hygiene practices can significantly reduce the risk that trucking organizations face.

Many of the well know cybersecurity frameworks and standards (NIST RMF, ISO 27001, CIS Controls, etc.) apply directly in this instance. Multi-Factor Authentication (MFA), network segmentation, social engineering awareness training, and strict patching schedules are all familiar controls to everyone in cybersecurity.

The caveat here is that the vast majority registered trucking and logistics companies qualify as small businesses or are even single owner operators. This can make the adoption of these standards and attaining a hardened cybersecurity stance challenging.

This fact has led to the need for of these controls, specifically tailored to the various scales of companies that operate in the sector. These are now freely available to the industry and are helping to move the needle in the right direction.

Reducing the cybersecurity risks that the transportation sector is facing is the mission that the cybersecurity team at the National Motor Freight Traffic Association, Inc.® (NMFTA)® supports through research and development, education, and providing opportunities for the security community in the industry to collaborate and share hard-won lessons learned.

Beginning over a decade ago with security research into the physical “rolling assets” (trucks and trailers) and deep dives into telematics systems and electronic logging devices (ELDs) used to monitor driver’s hours of service compliance, NMFTA has brought cybersecurity to the forefront of the conversation in the trucking industry.

More recently their aperture has widened to also include security in the enterprise by providing cybersecurity as well as technical guides to help reduce the risk of cyber-enabled cargo crime.

Every year the NMFTA hosts an unique in the sector where security practitioners, decision makers from across the transportation sector, and many of vendors that provide the industry with the tools needed to combat its security challenges gather to discuss lessons learned, tools of the trade, and the ways to secure the latest in emerging technologies.

The cyber threats facing the transportation sector are real, and they are complex. Through a combination of collaboration, research, and a healthy dose of good old fashioned hard work, this essential backbone of our society is rising to the challenge with the help of many dedicated cybersecurity professionals.

Like so many other industries, transportation is racing to stay one step ahead of cybercriminals’ intent on harm, and emerging technologies opening up a host of new threat vectors. But as someone who has lived and worked in this industry for over two decades, I am optimistic when I look to the future.

When I see a truck rolling down the highway, I see the leading edge of an industry rising to the latest cybersecurity challenges.

Join security practitioners, motor carriers, and technology leaders at to collaborate, share insights, and stay ahead of the evolving cyberthreats facing the transportation sector.

Sponsored and written by .*

Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers.

The company operates the largest gym chain in Europe, owning more than 1,700 clubs and over 430 franchises in 12 countries, including the Netherlands, Belgium, France, Spain, and Germany.

In a disclosure published on its website earlier today, Basic-Fit states that club members impacted by the cyberattack have been informed directly.

“Today, Basic-Fit has notified the relevant data protection authority concerning unauthorized access to the system that records members’ visits to Basic-Fit clubs,” reads the.

“The unauthorized access was detected by our system monitoring processes and was stopped within minutes of discovery.”

Despite the claimed quick response, an investigation conducted with the help of external security experts found that the attacker exfiltrated data belonging to some Basic-Fit members, which includes the following:

• Full name

  • Physical address

  • Email address

  • Phone number

  • Date of birth

  • Bank account details

  • Other membership information

It is important to note that customer data at Basic-Fit franchises has not been exposed in the incident, as it is stored on a separate system.

In the public disclosure, the company specified that the number of affected individuals in the Netherlands is 200,000. However, a spokesperson told BleepingComputer that the total number is around 1 million members in the Netherlands, Belgium, Luxembourg, France, Spain, and Germany.

The Basic-Fit representative noted that the gyms across Europe have around five million members.

According to the official disclosure, no identification documents or account passwords were accessed as a result of the data breach.

Based on data retention laws in the European Union, Basic-Fit is required to delete all personal data and membership automatically after two years.

Customers can access data in their My Basic-Fit app one year after termination. Information in the app should be removed automatically two months after uninstalling it from the device, and upon membership termination.

Basic-Fit says that its investigation of the incident's impact did not reveal that the data was leaked online. Nevertheless, the company will continue to monitor with the help of external experts.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

of known initial access vectors in 2025. It’s the most common way for attackers to breach a network, and once inside, excessive permissions and limited visibility often allow them to escalate unchecked.

Zero Trust is positioned as the answer. In theory, removing implicit trust and requiring every access request to be verified should improve security. But in practice, simply adopting Zero Trust principles isn’t enough.

If it’s implemented as a set of isolated controls rather than a cohesive identity strategy, gaps remain, and attackers will find them.

To truly strengthen identity security, Zero Trust must be applied with identity at its core: tightly governed, continuously validated, and fully visible across the environment. The following five approaches show how a well-executed Zero Trust model strengthens identity security in practical, measurable ways.

1. Enforcing least privilege access

It’s common for users to accumulate permissions over time as roles change, projects evolve, or temporary access isn’t revoked. The result is a level of access that far exceeds what users actually need for their job.

If attackers compromise that account, they inherit those same privileges, giving them a broader foothold from the outset.

applies the principle of least privilege to limit that exposure. Access is contingent upon specific requirements, rather than broad or permanent permissions. That means just-in-time access and time-bound privileges, with strict segmentation between systems and data.

If credentials are stolen, the potential impact is then contained. Attackers are far less able to escalate privileges or access sensitive systems, reducing both the likelihood and severity of a breach.

Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.

Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles!

2. Continuous, context-aware authentication

In a Zero Trust environment, treating authentication as a one-time event at login is a dangerous oversight. Attackers now use session hijacking and token theft to bypass initial checks entirely, moving through the network under the guise of a legitimate user.

They often leverage compromised devices to blend in with normal activity, remaining invisible to traditional security triggers.

Organizations need continuous, context-aware authentication to address this gap. Instead of relying solely on credentials, device health should also influence access decisions.

Solutions like deliver that assurance. By binding identities to trusted devices, it prevents attackers from using passwords on their own hardware or unknown virtual environments.

If a device falls out of compliance, such as through a disabled firewall or missed update, users are prompted to fix it, and access can be restricted or revoked until they do.

Specops Device Trust

Additionally, Specops Device Trust supports Windows, macOS, Linux, iOS, and Android, enabling consistent device trust across an organization’s entire network, including BYOD and third-party devices.

This adds a crucial layer to as credentials are far harder to abuse without a trusted device.

3. Limiting lateral movement

Zero Trust is designed to disrupt an attacker’s progression from initial compromise to privileged access. This involves segmenting access at a granular level and continuously verifying identity for each new request, rather than allowing unrestricted movement within the network.

Even users with legitimate access are limited to only the systems and data required for their role. This means that should an account be breached, the attacker’s ability to explore the environment, , or reach high-value assets is constrained at every step.

In practice, this containment can be the difference between a minor incident and a large-scale breach, turning what could have been widespread compromise into a far more manageable security event.

4. Securing remote work and third-party access

and third-party collaboration have become standard, but they also introduce additional identity risk. Employees are logging in from unmanaged devices and networks, alongside vendors and partners.

In traditional models, this access is frequently overprovisioned or insufficiently monitored, creating gaps that attackers can exploit. A compromised third-party developer account, for example, offers a direct route into sensitive environments.

Zero Trust addresses this by treating every user and device as untrusted by default. Access is granted based on verified identity, device posture, and context, rather than network location or assumed trust.

This allows organizations to apply consistent security controls across all access points. Third-party users can be restricted to specific systems; sessions can be monitored more closely, and access can be revoked as soon as it’s no longer needed.

5. Centralized identity governance and monitoring

As identity environments grow, so does the challenge of maintaining visibility and control. Particularly in larger organizations, users, roles, applications, and permissions are spread across multiple systems, making it difficult for security teams to see who has access to what at any given time.

Zero Trust brings identity governance and monitoring into a more centralized model. Security teams can manage access policies, authentication events, and user activity from a single point, rather than in isolation.

Unusual access patterns, privilege changes, or policy violations can be detected and investigated more quickly, reducing the time attackers have to operate undetected.

Implementing Zero Trust identity security in your organization

Moving toward a Zero Trust model is a journey, not a weekend project. You don't have to overhaul everything at once. Most organizations find the most immediate success by prioritizing phishing-resistant multi-factor authentication and device health checks first.

By starting with these high-impact controls, you can secure your most vulnerable entry points while gradually tightening least-privilege policies across the rest of your infrastructure.

Interested in seeing how Specops’ identity security services can help your organization move towards true Zero Trust authentication?

Contact us today or to see our solutions in action.

Sponsored and written by .*

Hackers started exploiting a critical vulnerability in the Marimo open-source reactive Python notebook platform just 10 hours after its public disclosure.

The flaw allows remote code execution without authentication in Marimo versions 0.20.4 and earlier. It tracked as and GitHub assessed it with a critical score of 9.3 out of 10.

According to researchers at cloud-security company Sysdig, attackers created an exploit from the information in the and immediately started using it in attacks that exfiltrated sensitive information.

Marimo is an Python notebook environment, typically used by data scientists, ML/AI practitioners, researchers, and developers building data apps or dashboards. It is a fairly popular project, with 20,000 GitHub stars and 1,000 forks.

CVE-2026-39987 is caused by the WebSocket endpoint ‘/terminal/ws’ exposing an interactive terminal without proper authentication checks, allowing connections from any unauthenticated client.

This gives direct access to a full interactive shell, running with the same privileges as the Marimo process.

Marimo disclosed the flaw on April 8 and yesterday released to address it. The developers noted that the flaw affects users who deployed Marimo as an editable notebook, and those who expose Marimo to a shared network using --host 0.0.0.0 while in edit mode.

Exploitation in the wild

Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.

Less than 10 hours after the disclosure, the researchers observed the first exploitation attempt in a credential theft operation.

The attacker first validated the vulnerability by connecting to the /terminal/ws endpoint and executing a short scripted sequence to confirm remote command execution, disconnecting within seconds.

Shortly after, they reconnected and began manual reconnaissance, issuing basic commands such as pwd, whoami, and ls to understand the environment, followed by directory navigation attempts and checks for SSH-related locations.

Next, the attacker focused on credential harvesting, immediately targeting the .env file and extracting environment variables, including cloud credentials and application secrets. They then attempted to read additional files in the working directory and continued probing for SSH keys.

Stealing credentials Source: Sysdig

The entire credential access phase was completed in less than three minutes, notes a this week.

Roughly an hour later, the attacker returned for a second exploitation session using the same exploit sequence.

The researchers say that behind the attack appears to be a “methodical operator” with a hands-on approach, rather than automated scripts, focusing on high-value objectives such as stealing .env credentials and SSH keys.

The attackers did not attempt to install persistence, deploy cryptominers, or backdoors, suggesting a quick, stealthy operation.

Marimo users are recommended to upgrade to version 0.23.0 immediately, monitor WebSocket connections to ‘/terminal/ws,’ restrict external access via a firewall, and rotate all exposed secrets.

If upgrading is not possible, an effective mitigation is to block or disable access to the ‘/terminal/ws’ endpoint entirely.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption.

To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running.

Then Google introduced App-Bound Encryption in Chrome 127 (July 2024), which tied encryption keys to Chrome itself and made local decryption even harder. The first wave of bypasses involved injecting into Chrome or abusing its debugging protocol, but those still left traces that security tools could pick up.

Stealer developers responded by stopping local decryption altogether and shipping encrypted files to their own infrastructure instead, removing the telemetry most endpoint tools rely on to catch credential theft.

Storm takes this approach further by handling both Chromium and Gecko-based browsers (Firefox, Waterfox, Pale Moon) server-side, where StealC V2 still processes Firefox locally.

Collected data includes everything attackers need to restore hijacked sessions remotely and steal from their victims: saved passwords, session cookies, autofill, Google account tokens, credit card data, and browsing history.

One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert.

Storm's forum listing

Cookie restore and session hijacking

Once Storm has decrypted the browser data, stolen credentials and session cookies are dumped directly into the operator's panel. Where most stealers require buyers to manually replay stolen logs, Storm automates the next step.

Feed in a Google Refresh Token and a geographically matched SOCKS5 proxy, and the panel silently restores the victim's authenticated session.

Cookie restore panel with a completed session hijack

Varonis Threat Labs has covered this class of attack before. Our research demonstrated how stolen Azure Entra ID session cookies render MFA irrelevant, giving attackers persistent access to Microsoft 365 without ever needing a password.

The analysis showed how phishing kits intercept session tokens in real time to defeat Microsoft 365 MFA. Storm's cookie restore is the same underlying technique, productised and sold as a subscription feature.

AI introduces a new breed of email threats that are more deceptive than ever. Varonis Interceptor is the AI-native email security solution built to stop today's most sophisticated threats before they ever reach your inbox.

Watch the Interceptor webinar to see how Varonis enables true AI-powered security outcomes.

Collection and infrastructure

Beyond credentials, Storm grabs documents from user directories, pulls session data from Telegram, Signal, and Discord, and targets crypto wallets through both browser extensions and desktop apps. System information and screenshots are captured across multiple monitors. Everything runs in memory to reduce the chance of detection.

Build configuration with collection modules and file grabber rules

On the infrastructure side, operators connect their own virtual private servers (VPS) to Storm's central servers, routing stolen data through infrastructure they control rather than a shared platform. This keeps the central servers insulated from takedown attempts, because law enforcement or abuse reports hit the operator's node first.

Team management supports multiple workers with permissions covering log access, build creation, and cookie restoration, so a single Storm licence can support a small cybercriminal operation with divided responsibilities.

Domain detection auto-labels stolen credentials by service, with rules visible for Google, Facebook, Twitter/X, and cPanel, making it straightforward for operators to filter and prioritise the accounts they want to exploit first.

Domain detection rules

Active campaigns and pricing

At the time of investigation, the logs panel contained 1,715 entries spanning India, the US, Brazil, Indonesia, Ecuador, Vietnam, and several other countries. Whether all of these represent real victims or include test data is difficult to confirm from panel imagery alone, but the varied IPs, ISPs, and data sizes look consistent with active campaigns.

Credentials tagged to Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com appear across multiple entries, the kind of data that typically ends up on the that feed account takeover, fraud, and initial access for more targeted intrusions.

Storm’s log panel

Log entries with cryptocurrency exchange hits

Storm is sold on a tiered subscription: $300 for a 7-day demo, $900/month standard, $1,800/month for a team license with 100 operator seats and 200 builds. A crypter is required on top.

Builds keep running after a subscription expires, so deployed stealers continue harvesting data regardless of the operator’s license status.

The different prices and packages

Detecting stolen sessions

Storm is consistent with a broader shift in the stealer market. Server-side decryption enables attackers to avoid tripping endpoint tools designed to catch traditional on-device decryption, and session cookie theft has been replacing password theft as the primary objective for a while now.

The credentials and sessions that stealers like Storm harvest are the start of what comes next: logins from unfamiliar locations, lateral movement, and data access that breaks established patterns.

Indicators of compromise

- Forum handle: StormStealer

- Forum ID: 221756

- Account registered: 12/12/25

- Current version: v0.0.2.0 (Gunnar)

- Build characteristics: C++ (MSVC/msbuild), ~460 KB, Windows only

This article originally appeared on the .

Sponsored and written by .*

An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States.

Dubbed "Operation Atlantic," this joint action took place last month, and it involved the NCA, the U.S. Secret Service, the Ontario Provincial Police, the Ontario Securities Commission, and multiple private industry partners.

"The NCA hosted law enforcement agencies at their London HQ and through real time intelligence sharing, technical capabilities and victim outreach, multiple fraud networks were disrupted across the world," the . "City of London Police, Financial Conduct Authority and other international law enforcement bodies also joined the weeklong action."

The investigators have also frozen more than $12 million in suspected criminal proceeds obtained through "approval phishing" attacks, in which scammers trick victims into granting them access to their cryptocurrency wallets, typically via investment scams. They also identified more than $45 million in stolen cryptocurrency connected to fraud schemes worldwide.

Officials said the public-private partnership model used in Operation Atlantic will be a core element of the U.K. government's recently announced , which connects industry data and law enforcement expertise to enable fraud prevention.

"Operation Atlantic is a powerful example of what is possible when international agencies and private industry work side by side," added Miles Bonfield, NCA Deputy Director of Investigations.

"This intensive action has led to the safeguarding of thousands of victims in the UK and overseas, stopped criminals in their tracks and helped save others from losing their funds."

The NCA added that, together with law enforcement and private-sector partners, it will continue to analyze intelligence gathered during this joint action to support other victims and pursue potential criminal activity.

Since January 2024, the FBI has also identified more than 8,000 victims of cryptocurrency investment fraud (also known as pig butchering) with support from the U.S. Secret Service, as part of . The FBI said that roughly 77% of those victims were unaware they were being scammed and that the estimated savings to victims is $511,511,288.

In its , the FBI said it received 61,559 complaints of cryptocurrency investment fraud last year, linked to $7.228 billion in losses and representing a massive 48% increase in complaints and a 25% increase in losses from 2024.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation.

According to a issued by multiple U.S. federal agencies on Tuesday, Iranian state-backed hacking groups have been targeting Rockwell Automation/Allen-Bradley PLC devices since March 2026, causing operational disruptions and financial losses.

"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel," the authoring agencies warned.

"The FBI identified that this activity resulted in the extraction of the device's project file and data manipulation on HMI and SCADA displays."

As cybersecurity firm Censys reported one day later, three-quarters of more than 5,200 such industrial control systems found exposed online globally are from the United States.

"Censys data identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (EIP) and self-identifying as Rockwell Automation/Allen-Bradley devices," .

"The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems."

Internet-exposed Rockwell/Allen Bradley PLCs (Censys)

​To defend against these ongoing attacks, network defenders are advised to secure PLCs using a firewall or disconnect them from the Internet, scan logs for signs of malicious activity, and check for suspicious traffic on OT ports (especially when it originates from overseas hosting providers).

Admins should also enforce multifactor authentication (MFA) for access to OT networks, keep all PLC devices up to date, and disable unused services and authentication methods.

This ongoing campaign follows from nearly three years ago, when a threat group affiliated with the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) and tracked as CyberAv3ngers targeted vulnerabilities in U.S.-based Unitronics operational technology (OT) systems.

CyberAv3ngers hackers compromised at least 75 Unitronics PLC devices in multiple waves of cyberattacks between November 2023 and January 2024, with half of those in Water and Wastewater Systems critical infrastructure networks across the United States.

More recently, the Handala hacktivist group ( to Iran's Ministry of Intelligence and Security) from the network of U.S. medical giant Stryker, including employees' mobile devices and company-managed personal computers.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

OpenAI has rolled out a new Pro subscription that costs $100 and is in line with Claude's pricing, which also has a $100 subscription, in addition to the $200 Max monthly plan.

Until now, OpenAI has offered three subscription tiers.

First is Go, which costs approx $8, second is Plus for $20, and then the final tier is at $200, a jump of $180.

On the other hand, Anthropic does not offer an $8 subscription, but it has a $100 subscription that comes between the cheapest $20 and the expensive $200 subscription, and it works for the company because it caters to the coding audience.

OpenAI has realized that it needs to go after coders and enterprises, similar to Anthropic's strategy.

The company's answer is ChatGPT Pro, which is designed for people who rely on AI to get high-stakes, complex work done for $100.

After this change, OpenAI's offering looks like the following:

• Plus $20 – For lighter use. Try advanced capabilities like Codex and Deep Research for select projects throughout the week.

  • Pro $100 – Built for real projects. For those who use advanced tools and models throughout the week, with 5x higher limits than Plus (and 10x Codex usage vs. Plus for a limited time).

  • Pro $200 – For heavy lifting. Run your most demanding workflows continuously, even across parallel projects, with 20× higher limits than Plus.

All Pro plans include access to advanced features, including:

• Pro models

  • Codex

  • Deep research

  • Image creation

  • Memory

  • File uploads

OpenAI says the Pro plan also includes unlimited access to GPT-5 and legacy models, but it's not truly unlimited because the typical "Terms of Use" policies apply, including sharing of accounts.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools.

The two utilities have millions of users who rely on them for tracking the physical health of internal computer hardware and for comprehensive specifications of a system.

Users who downloaded either tool recently that the official download portal points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer.

The name of the malicious file is HWiNFO_Monitor_Setup, and running it launches a Russian installer with an Inno Setup wrapper, which is atypical and highly suspicious.

Users reported that downloading the clean hwmonitor_1.63.exe from the direct URL was still possible, indicating that the original binaries were intact, but the distribution links appear to have been poisoned.

The externalized download chain was also confirmed by and @vxunderground, who reported that a fairly advanced loader using known techniques, tactics, and procedures (TTPs) is involved.

“As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” .

“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”

The researcher claims that the same threat group targeted users of the FileZilla FTP solution last month, suggesting that the attacker is focusing on widely used utilities.

The downloaded ZIP is flagged by 20 antivirus engines , although not clearly identified. Some classify it as Tedy Trojan, and others as Artemis Trojan.

Some researchers on Virustotal say that the fake HWiNFO variant is an infostealer malware.

BleepingComputer has contacted CPUID to learn more about what happened, the date of the compromise, the affected versions, and what impacted users should do. A spokesperson has provided the following statement.

"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed." - CPUID

The same person told us that the hackers hit them at a time when the main developer was away on holiday.

Currently, it appears that CPUID has fixed the problem and now serves clean versions for both CPU-Z and HWMonitor.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Author: Saeed Abbasi, Senior Manager, Threat Research Unit, Qualys

With Time-to-Exploit now at negative seven days and autonomous AI agents accelerating threats, the data no longer supports incremental improvement. The architecture of defense must change.

What Leaders Need to Know

Analysis of CISA's Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this.

Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed.

The problem is not speed. It is the operational model itself.

Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry's most dangerous window.

In response, defenders have to implement their own autonomous, closed-loop risk operations.

The Broken Physics

from the Qualys Threat Research Unit, analyzing more than one billion CISA KEV remediation records from across 10,000 organizations over four years, quantifies what the industry has long suspected but never proved at scale. The operational model underpinning enterprise security is broken.

Vulnerability volumes have grown 6.5 times since 2022. According to , the average Time-to-Exploit has collapsed to negative seven days; in other words, adversaries are weaponizing the most serious vulnerabilities before patches exist. The percentage of critical vulnerabilities still open at seven days has climbed from 56 percent to 63 percent.

Yet this is not for lack of effort. Organizations closed 400 million more vulnerability events annually now than they did at baseline. Teams work harder, but it fails to make the difference where it counts. Our researchers call this the "human ceiling" — a structural limit no amount of staffing or process maturity can overcome. The constraint is not effort. It is the model itself.

Of 52 high-profile weaponized vulnerabilities tracked with complete exploitation timelines, 88 percent were remediated slower than they were exploited. As an example, Spring4Shell was exploited two days before disclosure, yet the average enterprise needed 266 days to remediate.

Similarly, the flaw in Cisco IOS XE was weaponized a month early; average close was 263 days.

The attacker's advantage was measured in days. The defender's response was measured in seasons. This is not an intelligence failure. It is an operationalization failure.

To understand the future around risk operations, AI and managing remediation at scale, come to ROCON EMEA, the Risk Operations Center Conference.

Join your peers and learn more about automated remediation.

The Manual Tax and Risk Mass

The report identifies a "Manual Tax" — the multiplier effect where long-tail assets that human processes cannot reach drag exposure from weeks into months. For Spring4Shell, average remediation was 5.4 times the median.

The median tells a manageable story. The average tells the truth. Infrastructure systems face a harsher reality: for Cisco IOS XE, even the median was 232 days — compared to endpoint medians consistently under 14. When the best-case outcome is eight months, the Manual Tax is no longer a multiplier. It is the baseline.

Looking at average figures is no longer helpful for decision-making. Instead, looking at Risk Mass — vulnerable assets multiplied by days exposed — captures what CVE counts obscure around cumulative exposure. A companion metric, Average Window of Exposure (AWE), measures the full duration from weaponization to remediation across the environment.

As an example, Follina was weaponized 30 days before disclosure with an average close at Day 55.

However, the AWE stretched to 85 days. While the blind spot before disclosure accounted for 36 percent of that 85 days, the long tail of patching accounted for a further 44 percent. In total, pre-disclosure and long tail together represent 80 percent. The sprint that gets measured makes up less than 20.

At the same time, of 48,172 vulnerabilities disclosed in 2025, only 357 were remotely exploitable and actively weaponized. Organizations are burning remediation cycles on theoretical exposure while genuinely exploitable gaps persist.

Why the Gap Will Widen

Cybersecurity has long operated as a derivative of technology shifts — Windows security followed Windows, cloud security followed cloud. Leading practitioners and investors now argue AI breaks that pattern. It is not merely a new surface to defend; it is a fundamental transformation of the adversary itself.

Offensive agents can already discover, weaponize, and execute faster than any human-staffed operation can respond. The remediation data proves humans cannot keep pace today. Autonomous AI ensures the gap will accelerate tomorrow.

The transition period — where AI-powered attackers face human-speed defenders — represents the industry's most dangerous window, compounded by the structural vulnerabilities that dominate the near term: attack surfaces expanded beyond what teams can govern, identity sprawl that outpaces policy, and remediation workflows still built on manual execution.

The traditional scan-and-report model was built for lower volumes of CVEs and longer exploit timelines. What replaces it is an end-to-end Risk Operations Center: embedded intelligence arriving as machine-readable decision logic, active confirmation validating whether a vulnerability is actually exploitable in a specific environment, and autonomous action compressing response to the timescale the threat demands.

The objective is not to eliminate human judgment but to elevate it, shifting practitioners from tactical execution to governing the policies that direct their own autonomous systems.

The organizations already winning the physics gap are not winning with larger teams. They are winning because they have removed human latency from the critical path.

How Security Teams can close the Risk Gap

The scan-and-report model — discover, score, ticket, manually route — was built for lower volumes and longer exploit timelines.

What replaces it is an end-to-end Risk Operations Center: embedded intelligence arriving as machine-readable decision logic, active confirmation validating whether a vulnerability is actually exploitable in a specific environment, and autonomous action compressing response to the timescale the threat demands.

The objective is not to eliminate human judgment but to elevate it — shifting practitioners from tactical execution to governing the policies that direct autonomous systems. The organizations already winning the physics gap are not winning with larger teams. They are winning because they have removed human latency from the critical path.

Time-to-Exploit will not return to positive numbers. Vulnerability volume will not plateau. The reactive model has hit a hard mathematical ceiling.

The only remaining question is whether organizations will use the architecture to match the mathematics — before the window between human-scale defense and autonomous-scale offense closes for good.

for insights into how companies manage remediation at scale with automation and AI, and how you can make that difference right now.

Sponsored and written by .*

Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach.

Eurail is a Netherlands-based company that sells Interrail and Eurail passes for multi-country train travel across Europe, passes that are also available to young Europeans through the EU's .

When it disclosed the incident in February, the company said the attackers gained access to travelers' sensitive information, including full names, passport details, ID numbers, bank account IBANs, health information, and contact details (email addresses, phone numbers), after breaching its customer database.

Eurail also warned at the time that the threat actors had published a sample of the stolen data on Telegram and were attempting to sell it on the dark web.

"The evidence showed that an unauthorized actor transferred files from our network on December 26, 2025," the European train travel company sent to affected individuals on March 27.

"We reviewed the files involved and, on February 25, 2026, determined that they contained some of your information. The information included your name and passport number."

The same day, Eurail with the Office of Oregon's Attorney General that the resulting data breach impacted 308,777 individuals.

Eurail data breach filing with Oregon's OAG (BleepingComputer)

​While Eurail said that it didn't store financial information or passport photocopies on the compromised systems, the European Commission in a separate alert that this type of data (as well as health information) may have been exposed for young travelers who received a Pass through the DiscoverEU program.

Eurail told customers whose information was exposed in the breach to remain vigilant against potential phishing attacks and scams, and advised them to update their Rail Planner app account passwords and reset them on any other platform where they're also used.

The company added that customers should monitor their bank account activity and report any suspicious transactions to their bank as soon as possible.

Last month, the European Commission also after the Europa.eu web platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.