<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
>
    <channel>
                    <atom:link rel="alternate" hreflang="en-AU"
                       href="https://www.techradar.com/au/feeds/tag/malware"
                       type="application/rss+xml"/>
                            <title><![CDATA[ Latest from TechRadar AU in Malware ]]></title>
                <link>https://www.techradar.com/au/tag/malware</link>
        <description><![CDATA[ All the latest malware content from the TechRadar  AU team ]]></description>
                                    <lastBuildDate>Mon, 06 Jul 2026 13:32:19 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ MacPaw Moonlock antivirus review ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/computing/macs/macpaw-moonlock-antivirus-review</link>
                                                                            <description>
                            <![CDATA[ Moonlock is a relatively new arrival to the Mac antivirus scene, but offers excellent usability and won't hinder the performance of older Macs. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">VeqiGPVbAQdSwFCBLk4FdC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/QM9hJkWMMHyFDBLSPEBhmG-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Jul 2026 13:32:19 +0000</pubDate>                                                                                                                                <updated>Mon, 06 Jul 2026 13:34:33 +0000</updated>
                                                                                                                                            <category><![CDATA[Macs]]></category>
                                                    <category><![CDATA[macOS]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                    <category><![CDATA[Desktop PCs]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                <author><![CDATA[ bryan.wolfe@futurenet.com (Bryan M Wolfe) ]]></author>                    <dc:creator><![CDATA[ Bryan M Wolfe ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/bsbij4rP7NWfEAnN3HdV87.jpeg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                        <dc:contributor><![CDATA[ Benedict Collins ]]></dc:contributor>
                                                                                                                                                                                    <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/QM9hJkWMMHyFDBLSPEBhmG-1280-80.jpg">
                                                            <media:credit><![CDATA[Moonlock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A screenshot of the MacPaw Moonlock dashboard]]></media:description>                                                            <media:text><![CDATA[A screenshot of the MacPaw Moonlock dashboard]]></media:text>
                                <media:title type="plain"><![CDATA[A screenshot of the MacPaw Moonlock dashboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/QM9hJkWMMHyFDBLSPEBhmG-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>MacPaw has spent years building a reputation as one of the most design-conscious developers in the Mac ecosystem. Its flagship product, <a href="https://www.techradar.com/reviews/cleanmymac-x-for-mac-review" target="_blank">CleanMyMac</a>, has long included a malware removal module powered by Moonlock's engine. In October 2025, the Kyiv-based company spun that security technology into a standalone product: Moonlock, a full-featured antivirus app that goes well beyond a simple scanner.</p><p>Rather than leading with threat counts and detection percentages, Moonlock frames itself as security software that treats users like adults, explaining what malware is, why it matters, and what to do next, instead of firing off opaque alerts. The marketing centers on a 'care, not scare' approach, essentially promising to educate you rather than just bombarding you with red-text alerts.</p><p>While many live in the mythical belief that Macs are immune to viruses, <a href="https://moonlock.com/2025-macos-threat-report" target="_blank">MacPaw's own research</a> reports that 66 percent of Mac users encountered at least one cyber threat last year, with a 67% increase in registered macOS backdoor variants in 2025. The research shows a key message: macOS is not immune, are users are being targeted more frequently than ever.</p><h3 class="article-body__section" id="section-plans-and-pricing"><span>Plans and pricing</span></h3><p>Moonlock starts at $54 per year for a single Mac, with licenses available for 2, 5, or more than 10 devices per subscription. Monthly billing and one-time lifetime license options are also available for those who prefer not to commit to an annual cycle.</p><p>Discounts of up to 67 percent are advertised on multi-year plans, which is worth exploring if you intend to stick with the product long term.</p><p>New users get a seven-day free trial, though a credit card is required to start. That is a common enough practice, but it does mean you will need to remember to cancel if the product does not suit you. To soften the blow of that annual fee, Moonlock offers a 30-day money-back guarantee, which is a considerably more generous safety net than the case-by-case refund process offered by some competitors.</p><p>Current Setapp subscribers get access to Moonlock at no additional charge, which may be the most compelling value proposition for those already in MacPaw's subscription ecosystem. At $54 per year for a single device, standalone pricing lands considerably higher than ClamXAV's three-Mac Home plan at $29.95, a gap worth weighing if budget is a primary concern.</p><h3 class="article-body__section" id="section-features"><span>Features</span></h3><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:2624px;"><p class="vanilla-image-block" style="padding-top:63.41%;"><img id="5KepRLD9rYrfaLqHs4edTZ" name="moonlock-scan" alt="A screenshot of a MacPaw Moonlock scan" src="https://cdn.mos.cms.futurecdn.net/5KepRLD9rYrfaLqHs4edTZ.jpg" mos="" align="middle" fullscreen="" width="2624" height="1664" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Moonlock)</span></figcaption></figure><p>Moonlock is organized into six sections: Home, Malware Scanner, VPN, Network Inspector, System Protection, and Security Advisor. That framework reflects a deliberate decision to bundle a security suite rather than deliver a focused antivirus, giving the product a notably broader footprint than Mac-only rivals like ClamXAV.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:2624px;"><p class="vanilla-image-block" style="padding-top:66.31%;"><img id="Z7hkDirscjtHPz8KP3X67Q" name="moonlock-malware-scanner" alt="A screenshot of the MacPaw Moonlock malware scanner in action" src="https://cdn.mos.cms.futurecdn.net/Z7hkDirscjtHPz8KP3X67Q.jpg" mos="" align="middle" fullscreen="" width="2624" height="1740" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Moonlock)</span></figcaption></figure><p>Real-time protection runs continuously in the background, monitoring file activity, app behavior, and Mail attachments even when the main application window is closed. The Malware Scanner supports on-demand and scheduled scans, with built-in quarantine and removal tools. Detected threats are accompanied by plain-language explanations rather than raw file paths and specialized terms.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:2624px;"><p class="vanilla-image-block" style="padding-top:66.31%;"><img id="ZTwnWuF8rVzcFgSx7DrkdU" name="moonlock-vpn" alt="A screenshot of the MacPaw Moonlock VPN in action" src="https://cdn.mos.cms.futurecdn.net/ZTwnWuF8rVzcFgSx7DrkdU.jpg" mos="" align="middle" fullscreen="" width="2624" height="1740" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Moonlock)</span></figcaption></figure><p>The bundled VPN is a simplified version of MacPaw's ClearVPN, covering around 60 server locations across more than 45 countries. Independent testing found no DNS or WebRTC leaks, and MacPaw maintains a no-logging policy. Speed retention is strong, holding around 82 percent of baseline download speeds on transatlantic connections and up to 96 percent on closer servers.</p><p>Network Inspector adds a country-level connection blocker, permitting users to block outbound traffic to specific regions. System Protection audits macOS's own built-in security settings and walks you through any gaps. Finally, Security Advisor provides a checklist for basic digital hygiene, including practical guidance on habits such as two-factor authentication and app permissions. AI assists with malware classification on the backend, helping the team update threat databases before new strains reach your device.</p><h3 class="article-body__section" id="section-privacy-and-security"><span>Privacy and Security</span></h3><p>From a top level perspective, Moonlock was tested by the third-party laboratory AV-Test in September 2025 and earned it's AV-Test certification. It scored a 5.5/6 in Protection, 4.5/6 in Performance, and a full 6/6 for Usability (which I'll dive into in the next section).</p><p>As for the credibility of the underlying research arm, Moonlock Lab has made several notable contributions to the antivirus landscape, being the first to identify PyStealer on VirusTotal, and the lab has also been cited by the SANS Institute for discovering new variants of the Atomic macOS infostealer.</p><p>Regarding privacy, the VPN operates under a strict zero-logs policy, and all data is processed locally. MacPaw publishes a Trust Center at security.macpaw.com describing its data-handling practices, certifications, and security standards, which is a nice change in transparency from many other antivirus providers.</p><p>The one caveat worth noting is that Moonlock is a recent standalone launch. While the underlying engine has been in use in CleanMyMac for some time, the app itself has a limited history as an independently tested product. But it is worth noting that in the time since the last time AV-Test handled Moonlock, MacPaw have likely taken steps to improve protection and performance.</p><h3 class="article-body__section" id="section-interface-and-in-use"><span>Interface and in use</span></h3><p>The interface is highly polished, modern, and immediately legible, with a two-panel home dashboard that separates tasks on the left from status information on the right. Everything is where you would expect it to be, and the visual hierarchy makes it easy to tell at a glance whether your Mac is protected. </p><p>Instead of a generic 'Threat Resolved' notification, Moonlock tells you what was found, why it poses a risk, and what your options are. I found I was the one to make the final call on whether to remove a flagged item, which sidesteps the infuriating experience of automated deletion that occasionally catches legitimate software.</p><p>The system requirements make it suitable for older devices too, requiring macOS 13 or later and 515MB of disk space. The app runs quickly and, in day-to-day use, does not noticeably drag on performance. Installation requires a MacPaw account, which adds a step that competitors like ClamXAV skip entirely for home users, but the tradeoff is a unified login for managing licenses and accessing support.</p><p>Ultimately, Moonlock is a great option for those looking for an accessible and easily navigable Mac antivirus that doesn't bombard you with any overly-technical language, and performs as though you are the one in control.</p><h3 class="article-body__section" id="section-support"><span>Support</span></h3><p>Moonlock support runs on MacPaw's established infrastructure, with a dedicated knowledge base that covers installation, configuration, and troubleshooting, and those with questions can submit immediate inquiries through the support portal. In-app feedback is also available via the Help menu.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:2624px;"><p class="vanilla-image-block" style="padding-top:63.41%;"><img id="Poe8caHraKyHPdShHYkJug" name="moonlock-security-advisor" alt="A screenshot of the Moonlock security advisor in action" src="https://cdn.mos.cms.futurecdn.net/Poe8caHraKyHPdShHYkJug.jpg" mos="" align="middle" fullscreen="" width="2624" height="1664" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Moonlock)</span></figcaption></figure><p>As with many Mac-focused security products, live chat or phone support does not appear to be offered as a standard option. For most home users, the knowledge base and email channel will be sufficient. Teams with more complicated environments should verify support response times before committing, particularly given that Moonlock is a relatively new standalone product and the support documentation is still maturing.</p><h3 class="article-body__section" id="section-the-competition"><span>The competition</span></h3><p>ClamXAV is the most direct rival in the Mac-exclusive antivirus space. At $29.95 per year for three devices, it is considerably cheaper than Moonlock's $54 single-device starting price, and it also holds a perfect AV-Test score compared to Moonlock's test results. It does not include a VPN, network inspection, or the polished onboarding experience Moonlock offers, but for those who want focused antivirus protection at a lower cost, it is a strong option.</p><p><a href="https://www.techradar.com/pro/intego-mac-internet-security-x9-review" target="_blank">Intego Mac Internet Security X9</a> sits at a comparable price point and includes a network monitor, with a longer track record in independent third-party testing. Bitdefender Total Security and Norton AntiVirus Plus both offer wider platform coverage and larger feature sets, making them better fits for households with mixed Windows and Mac devices.</p><p>Those who are already subscribed to CleanMyMac should also note that its built-in malware-scanning module, powered by the same Moonlock engine, continues to function independently. Therefore the question is whether the full Moonlock standalone app adds enough to justify an additional subscription or an upgrade in spending.</p><h2 id="final-verdict">Final verdict</h2><p>Moonlock is one of the most carefully designed security apps I've encountered in the Mac ecosystem. Its interface is excellent, its feature set is broader than most Mac-specific alternatives, and the research team behind it is doing genuinely credible original work. The 30-day money-back guarantee is also a nice addition, despite the need to enter your payment details first.</p><p>At $54 per year for a single Mac, it costs nearly twice as much as ClamXAV's three-device plan. The added value of the bundled VPN and Network Inspector goes some way toward justifying that gap, but those who already have a VPN solution elsewhere may not find the extras compelling enough. Setapp subscribers, on the other hand, get all of this for free as part of a subscription they likely already value.</p><p>For long-standing CleanMyMac users who already benefit from the embedded Moonlock engine, the standalone app offers greater depth, visibility, and control, but it's not a replacement for anything missing. It is a fuller version of the protection they have already been relying on, now with a VPN, richer reporting, and a proper home for the security features that were previously contained within a Mac cleaning utility.</p><p>For Mac users who want a single subscription that covers antivirus, VPN, network monitoring, and system security guidance, Moonlock makes a strong argument. Just go in aware of what you are paying for relative to the alternatives.</p><p><em>You might also be interested in our report on </em><a href="https://www.techradar.com/news/software/applications/30-best-mac-apps-for-just-about-everything-712511"><em>the best Mac apps of the year</em></a><em>.</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ We built a trillion-dollar security industry on top of an unprotected layer ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/we-built-a-trillion-dollar-security-industry-on-top-of-an-unprotected-layer</link>
                                                                            <description>
                            <![CDATA[ As attackers increasingly exploit the 'human stack', organizations must shift from purely technical defenses to behavior-based resilience. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sMHxNdB4WmJWK3NYsDeq6N</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wV66hEbpJdAc4iPB7RwtkK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Jul 2026 10:46:42 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sarah Gosler ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wV66hEbpJdAc4iPB7RwtkK-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[An exclamation mark inside a red warning triangle, surrounded by email symbols, superimposed on someone typing on a laptop]]></media:description>                                                            <media:text><![CDATA[An exclamation mark inside a red warning triangle, surrounded by email symbols, superimposed on someone typing on a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[An exclamation mark inside a red warning triangle, surrounded by email symbols, superimposed on someone typing on a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wV66hEbpJdAc4iPB7RwtkK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>For thirty years, the hardest part of a sophisticated cyberattack was the human labor behind it. Finding the vulnerability. Writing the exploit. Chaining the access. Staying quiet long enough to matter. </p><p>That work required teams, time, and tradecraft. It’s the reason nation-state operations looked different from criminal ones, and why most organizations could plan around the gap between them.</p><p>That gap is closing. </p><p>We are entering what I think of as the Mythos era, in which machines can do in minutes what used to take skilled human operators months. <a href="https://www.techradar.com/best/best-online-cyber-security-courses">Cybersecurity</a> defenses are improving, but the layer where final decisions are made, the human one, is now the easiest to exploit. </p><p>The advantage that protected most organizations, most of the time, is going with it. Precision at scale is no longer a contradiction. It’s a feature.</p><h2 id="the-human-stack-what-it-is-and-why-it-matters">The Human Stack: what it is and why it matters</h2><p>Most of the conversation about this shift has focused on what these systems do to vulnerabilities. That conversation is accurate, but incomplete. The harder problem is what machine-speed attacks do to the systems those vulnerabilities ultimately route through: systems that depend on human decisions.</p><p>That’s a layer most <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> programs don’t explicitly own. I call it the Human Stack, the point where every system finally comes down to a person deciding whether a wire transfer goes through, whether an email is trusted, or whether a voice on a phone call is real. We have spent a generation hardening everything above it, and almost nothing on the layer itself.</p><p>For most of cybersecurity's history, that was a tolerable bet. Attackers had to choose between going wide and crude, or narrow and precise. The Human Stack held because precision didn’t scale, and scale didn’t achieve precision.</p><p>That tradeoff is gone.</p><h2 id="what-the-next-wave-of-attacks-looks-like">What the next wave of attacks looks like</h2><p>The next wave won’t arrive as <a href="https://www.techradar.com/best/best-malware-removal">malware</a>. It’ll arrive as evidence. A voicemail that sounds exactly like the person it claims to be. A video call with a face you have known for ten years. An email thread that picks up a conversation you actually had, in the cadence you actually use, referencing a project that actually exists. The technical indicators will be clean, and the social indicators will be perfect. The only thing that will be wrong is the conclusion the human is being led to.</p><p>Last year, I spent time with the team behind Midnight in the War Room, a documentary premiering August 5 at Black Hat USA. It brings together over 50 experts, from global CISOs and military strategists to reformed hackers and victims of cyber conflict. The conversations were about something that has been happening for a long time and is about to be accelerated: the industrialization of social engineering, and the steady weaponization of the behavioral attack surface.</p><p>That surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, and <a href="https://www.techradar.com/best/best-cloud-computing-services">cloud services</a> administrator your business depends on. Your operations going offline may have nothing to do with your own people, and everything to do with someone three vendors deep making a decision under synthetic pressure.</p><h2 id="what-this-means-for-enterprises">What this means for enterprises</h2><p>For businesses, this isn’t theoretical. Financial risk is direct. We're already seeing fraudulent wire transfers, manipulated approval chains, and finance chiefs impersonated so convincingly that payments clear before anyone notices.</p><p>Operational disruption can come with no malware on your systems. The behavioral attack surface doesn't stop at your perimeter. It extends through every vendor, managed service provider, law firm, auditor, and cloud administrator your business depends on. </p><p>A compromised third party, manipulated through a perfectly constructed social engineering campaign, can take your operations offline without leaving a fingerprint anywhere near your network. Most organizations scrutinize their own security posture far more rigorously than the human decision-making environments of the third parties they rely on, leaving that exposure largely unmanaged. </p><p>Regulators and insurers are starting to ask harder questions about that exposure, and most organizations don't yet have good answers.</p><h2 id="the-shift-from-prevention-to-resilience">The shift from prevention to resilience</h2><p>There's a second shift that boards need to start preparing for, and it's bigger than any single control or technology. We're leaving the era in which security success is measured by attacks prevented. We're entering one in which the realistic measure is how quickly an organization recovers when belief fails.</p><p>Prevention still matters, and the investments organizations have made in it have been the right ones. But in a world where attacks will sometimes succeed because they're indistinguishable from legitimate activity, prevention alone is no longer a coherent strategy. Resilience is.</p><p>What resilience means at the human layer is different from what it means at the technical one. Technical resilience is about systems that fail gracefully and recover quickly. Human resilience is about decision-making environments that can absorb a successful deception, recognize it, and contain it before it compounds. Most organizations have invested in the first. Very few have invested in the second. That's the gap the next decade will judge us on.</p><h2 id="what-leaders-should-do">What leaders should do</h2><p>The security stack remains necessary, but this era exposes that even the best systems hand their hardest decisions to humans, and we haven't invested in that layer with the same rigor. Here’s where to start:</p><p><strong>Measure recovery, not just prevention</strong></p><p>When belief fails, how fast can your organization catch it, contain it, and get back up? That has to be designed into your operating model now, not figured out after an incident. </p><p><strong>Design for decision-making under deception</strong></p><p>Training people to spot phishing isn't sufficient when the phishing email is indistinguishable from a real one. Build institutional processes that don't rely on a single person making the right call under pressure.</p><p><strong>Treat people as operational infrastructure. </strong></p><p>Human judgment is a critical system. It needs redundancy and failure protocols, just like any other.</p><p><strong>Extend your security culture to your vendor ecosystem</strong></p><p>The behavioral attack surface runs through your entire supply chain. Your third-party risk program needs to account for the human layer, not just the technical one.</p><h2 id="the-window-is-closing">The window is closing</h2><p>Midnight in the War Room will make this visible in a way an op-ed cannot. </p><p>The Mythos era did not create this problem. It revealed it. The cost of exploiting human decision-making precisely was high enough to keep most attackers out. That barrier is collapsing now.</p><p>What comes next will not announce itself. It’ll arrive looking like someone you trust, asking for something that feels completely reasonable, right up until the moment it isn't.</p><p>The question is no longer whether your systems can withstand attack. It's whether your people are prepared to make decisions in a world where the evidence itself can no longer be trusted, and whether your organization is built to recover when those decisions go wrong.</p><p><em></em><a href="https://www.techradar.com/best/best-cloud-antivirus"><em>We've reviewed and ranked the best cloud antivirus</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ That free VPN Chrome and Firefox extension may be reading your clipboard every half a second, researchers warn ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/vpn/vpn-privacy-security/that-free-vpn-chrome-and-firefox-extension-may-be-reading-your-clipboard-every-half-a-second-researchers-warn</link>
                                                                            <description>
                            <![CDATA[ Researchers at Socket found two "VPN Go" browser extensions for Chrome and Firefox that posed as free VPNs while quietly stealing clipboard data through later updates. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">drttgaXd7xBrBjVNgZ6gbP</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 01 Jul 2026 13:22:10 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[VPN Privacy &amp; Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[VPN]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                                                                <author><![CDATA[ monicajwrites@gmail.com (Monica J. White) ]]></author>                    <dc:creator><![CDATA[ Monica J. White ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/6AQ4y5nzk8kQ47Yp69GERj.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Monica is a journalist with over a decade of experience in covering technology.&lt;/p&gt;&lt;p&gt;She writes about the latest developments in computing, which means anything from computer chips made out of paper to cutting-edge desktop processors. Her coverage includes CPUs, GPUs, and everything else that goes into a PC or a laptop, but also peripherals.&lt;/p&gt;&lt;p&gt;GPUs are Monica’s main area of interest, and nothing thrills her quite like that time every couple of years when new graphics cards hit the market. She’s always keeping tabs on the latest from Nvidia, AMD, and Intel, including both the hardware and the software that powers our PCs.&lt;/p&gt;&lt;p&gt;As an avid gamer, her focus is always on the consumer and whether something works well and provides adequate value for the money. She believes that PC building can be intimidating, so her goal is to explain complex concepts in an approachable manner while still digging into the technical nitty-gritty we all love to learn more about.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Malware kan ställa till med oreda]]></media:description>                                                            <media:text><![CDATA[Android phone malware]]></media:text>
                                <media:title type="plain"><![CDATA[Android phone malware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Researchers found "VPN Go" extensions for Chrome and Firefox secretly harvesting copied text</strong></li><li><strong>The clipboard theft was not there at launch and arrived through a later update</strong></li><li><strong>Anything copied while the extension was active should now be treated as exposed</strong></li></ul><p>Security researchers at Socket found two browser extensions distributed under the "VPN Go: Free VPN" branding, one listed on the Chrome Web Store and one on Firefox Add-ons, to secretly harvest copied text. </p><p>Both present themselves as free VPN tools with working proxy features. Underneath, <a href="https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboard-stealers" target="_blank" rel="nofollow">Socket says</a>, both also run a clipboard stealer that continuously watches copied text and sends it to infrastructure controlled by the attacker.</p><p>According to Socket, the clipboard theft was not present when the extensions first appeared. It was added later, through an ordinary-looking update, after the extensions had already built up a base of trusting users. That staged approach is exactly what makes this kind of threat so hard to spot, and why even a fairly cautious user can end up exposed.</p><p>For anyone weighing up a no-cost privacy tool, it is worth knowing that not every free option behaves like this, and the <a href="https://www.techradar.com/vpn/best-vpn">best VPN</a> services are tested precisely so you do not have to take this kind of gamble. But this case shows how thin the line can be between a useful free extension and a data-harvesting one.</p><h2 id="what-socket-s-research-uncovered">What Socket's research uncovered</h2><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:1213px;"><p class="vanilla-image-block" style="padding-top:56.22%;"><img id="7b3ucMmXHaTYWRvoZbT8T9" name="VPN Go" alt="VPN Go in Chrome Web Store" src="https://cdn.mos.cms.futurecdn.net/7b3ucMmXHaTYWRvoZbT8T9.png" mos="" align="middle" fullscreen="" width="1213" height="682" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Chrome)</span></figcaption></figure><p>Socket says the earliest analyzed builds behaved like ordinary proxy extensions, with no confirmed clipboard theft. </p><p>On <a href="https://www.techradar.com/reviews/google-chrome">Chrome</a>, that changed with version 1.1, when the extension added a script that reads the clipboard and ships those chunks off to a hardcoded address. The <a href="https://www.techradar.com/reviews/mozilla-firefox">Firefox</a> version followed the same path slightly later, moving the same theft loop into its background script.</p><p>Once active, the monitoring is relentless. The Chrome content script checks the clipboard roughly every half a second, according to Socket's analysis, while the Firefox build polls every 1.5 seconds. </p><p>Each newly copied value is tagged with a session identifier so it can be reassembled on the other end, then sent out over plain HTTP. All of this was happening while the two apps' privacy policies stated that the tools did not collect, store, or share user data and did not keep activity logs.</p><p>TechRadar has reached out to VPN Go for comment, but both email addresses bounced, and both extensions have since been pulled from their stores.</p><h2 id="why-clipboard-stealers-are-dangerous-for-users">Why clipboard stealers are dangerous for users</h2><p>The reason clipboard theft is so effective is that it abuses something completely routine. People copy and paste sensitive information all day, and it's not careless to do so. Password managers rely on exactly that: copying long, unique passwords into your accounts.</p><p>An extension that can silently read the clipboard has access to all of this information; it just has to wait for you to copy the right thing. If you have used either of the two extensions in question, you should treat any information you've copied during that time as exposed.</p><p>Researchers have repeatedly found free VPN extensions doing things their users never agreed to. Recent reporting has covered a <a href="https://www.techradar.com/vpn/vpn-privacy-security/this-free-chrome-vpn-extension-found-to-spy-on-its-100k-users-uninstall-it-now">free Chrome VPN extension caught taking screenshots</a> of every page its users visited, and a <a href="https://www.techradar.com/vpn/vpn-privacy-security/malicious-free-vpn-extension-makes-a-comeback">malicious free VPN extension that resurfaced</a> after being removed, returning in a more evasive form. </p><p>The pattern is consistent enough that it is worth treating any unknown free VPN extension with caution by default. That caution matters: TechRadar's own polling found that <a href="https://www.techradar.com/vpn/vpn-privacy-security/to-pay-or-not-to-pay-nearly-1-in-4-techradar-readers-say-they-use-free-vpns-despite-the-risks">nearly 1 in 4 readers use free VPNs</a> despite knowing the risks.</p><h2 id="how-to-stay-safe">How to stay safe</h2><p>If you want the protection a VPN offers without rolling the dice, stick to providers with a track record and independent testing behind them. </p><p>A reputable paid service, or one of the carefully vetted <a href="https://www.techradar.com/vpn/best-free-vpn">best free VPN</a> options, is a far safer bet than an unknown extension promising unlimited access for nothing. As the saying goes, when the product is free, there is a decent chance that you are the product.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ NAIC confirms data breach with ShinyHunters claiming 3.1TB of data stolen in Oracle zero-day attack ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/naic-confirms-data-breach-with-shinyhunters-claiming-3-1tb-of-data-stolen-in-oracle-zero-day-attack</link>
                                                                            <description>
                            <![CDATA[ Insurer regulatory filing documents, customer bulk orders, and more, stolen in a major zero-day supply chain attack ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rq7YhrojSragNBymdm8FYn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VGPtSi99Vy7pCWeNLEcT5c-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 26 Jun 2026 18:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VGPtSi99Vy7pCWeNLEcT5c-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[hacker hands at work with  interface around]]></media:description>                                                            <media:text><![CDATA[hacker hands at work with  interface around]]></media:text>
                                <media:title type="plain"><![CDATA[hacker hands at work with  interface around]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VGPtSi99Vy7pCWeNLEcT5c-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>NAIC confirmed a cyberattack exploiting an Oracle PeopleSoft zero‑day, with ShinyHunters claiming theft of 3.1TB of data</strong></li><li><strong>Stolen cache allegedly includes insurer filings, credit rating files, AWS logs, configs, and PII; NAIC says only financial reports and technical data were taken</strong></li><li><strong>Incident spotted June 11, disclosed June 17; files leaked online suggest NAIC did not pay ransom, as ShinyHunters continues exploiting the zero‑day across 100+ organizations</strong></li></ul><p>The National Association of Insurance Commissioners (NAIC) confirmed suffering a cyberattack that resulted in the stolen data being leaked on the dark web. While the company did not name the group responsible, or mentioned the size of the stolen cache, the infamous ShinyHunters claimed responsibility and stated they snatched around 3.1TB of information.</p><p>In a security notice published on the NAIC website, it was explained that the attackers managed to exploit a <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">zero-day vulnerability</a> in Oracle PeopleSoft. This is an <a href="https://www.techradar.com/best/best-erp-software" target="_blank">enterprise resource planning</a> (ERP) software suite, designed to help businesses manage employees, finances, supply chains, and more. Citing Google Mandiant, Cybernews says ShinyHunters first started exploiting the zero-day on May 27, and managed to compromise more than 100 organizations and 300 individuals, before Oracle finally pushed an emergency update on June 10.</p><p>Among the victims, as we now know, is NAIC, whose PeopleSoft environment was compromised, and used to obtain credentials and move laterally to internal data storage locations. </p><h2 id="shinyhunters-step-forward">ShinyHunters step forward</h2><p>Based on NAIC’s investigation, the stolen information includes publicly available statutory financial reports, insurer investment credit rating data, and some technical information such as outdated logs and configuration files. There is no evidence that personal information, banking information, or payment data was accessed, it said.</p><p>NAIC spotted the attack on June 11 and immediately launched its incident response protocol, which includes notifying law enforcement, blocking malicious actors, and bringing in third-party security experts. The Commission disclosed the incident on June 17, a day before ShinyHunters went public. </p><p>The notorious ransomware gang claims to have taken more than 264,000 insurer regulatory filing documents, 2,000 customer and bulk orders containing personally identifiable information, some 45,000 files from major credit rating agencies, statutory annual and quarterly financial statements submitted by insurers, production AWS infrastructure logs, cloud configuration files, and workload automation data, and SQL scripts.</p><p>Since the files were seemingly leaked online, it’s safe to assume that NAIC did not (want to) pay the ransom demand.</p><p><em>Via </em><a href="https://cybernews.com/news/naic-breach-shinyhunters-3tb-insurance-systems-data/" target="_blank"><em>Cybernews</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Hackers are establishing persistence in hospitality and hotels by posing as guests with poisoned ZIP archives, but no one knows what their plan is ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/hackers-are-establishing-persistence-in-hospitality-and-hotels-by-posing-as-guests-with-poisoned-zip-archives-but-no-one-knows-what-their-plan-is</link>
                                                                            <description>
                            <![CDATA[ It looks like reconnaissance activity, possibly in preparation of a more destructive attack. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uFvUz5mRvhqu4D8SqDToRo</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 26 Jun 2026 14:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:description>                                                            <media:text><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:text>
                                <media:title type="plain"><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Microsoft Threat Intelligence warns of a phishing campaign targeting hotel staff in Europe and Asia with guest complaint‑themed emails</strong></li><li><strong>Attackers abuse services like Calendly and Google redirects to bypass authentication checks, delivering photo‑themed ZIPs that install a persistent Node.js implant</strong></li><li><strong>Malware disables Defender, runs C2 beaconing, gathers system info, and forces shutdowns; signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries</strong></li></ul><p>Hackers are establishing a foothold on hotels and hospitality organizations across Europe and Asia, but no one really knows what for, at least not yet.</p><p>This is according to Microsoft Threat Intelligence, who recently published a new report saying that since April, it’s been tracking an active phishing campaign. In this campaign, the unnamed attackers target front desk, reception, and reservations staff with emails about guest complaints, room conditions, bedbug infestations, booking inquiries, and similar.</p><p>The messages, sent in different languages (Danish, Dutch, Japanese), are not distributed directly. Instead, the crooks abuse legitimate services such as Calendly, and Google’s redirect infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks.</p><h2 id="tricking-defender">Tricking Defender</h2><p>This “authentication laundering”, as Microsoft puts it, results in photo-themed ZIP archives making their way directly to their victims. The archives contain a fake image shortcut (.LNK) files that, at a glance, appear to be harmless .PNG images. However, these files launch a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.</p><p>After being deployed, the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> tweaks Microsoft Defender to exclude itself (and other, randomly named executables) from scanned processes, downloads additional payloads, and copies itself into different places. </p><p>On compromised systems, Microsoft observed the malware running command-and-control beaconing, gathering environmental information such as the victim's public IP details, launching headless browser sessions, and in some cases forcing immediate system shutdowns. While it could not say what the goal of the campaign is, it all points to a reconnaissance stage that usually comes before a more disruptive malware or ransomware attack. </p><p>Microsoft recommends organizations focus on detecting the campaign's behavior rather than individual indicators. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile directories, .NET compilation initiated by PowerShell, and Defender exclusion changes.</p><p>Furthermore, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outbound connections on the campaign's non-standard ports, connections to newly registered .cfd domains, and combinations of headless browser activity followed by forced shutdown commands.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ This macOS malware can avoid AI analysis with gaslighting prompts hidden inside its architecture ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/this-macos-malware-can-avoid-ai-analysis-with-gaslighting-prompts-hidden-inside-its-architecture</link>
                                                                            <description>
                            <![CDATA[ A new piece of malware tries to trick AI-assisted analysis into showing errors. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">U53dE6YVGq8TtTv52qNvmn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Rb6YDzdRZjccpn6MQ26KML-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 26 Jun 2026 13:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Rb6YDzdRZjccpn6MQ26KML-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A person typing on a laptop and using a tablet. Only their upper torso, arms and hands are visible. Text superimposed on the image shows AI ]]></media:description>                                                            <media:text><![CDATA[A person typing on a laptop and using a tablet. Only their upper torso, arms and hands are visible. Text superimposed on the image shows AI ]]></media:text>
                                <media:title type="plain"><![CDATA[A person typing on a laptop and using a tablet. Only their upper torso, arms and hands are visible. Text superimposed on the image shows AI ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Rb6YDzdRZjccpn6MQ26KML-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>SentinelOne uncovered macOS malware “Gaslight” that uses prompt injection to mislead AI‑assisted triage tools during analysis</strong></li><li><strong>Beyond standard backdoor and infostealer capabilities, it embeds fake Markdown “system” messages to trick LLMs into halting investigation</strong></li><li><strong>Researchers warn defenders to treat malware samples as adversarial input and isolate AI pipelines, as more analyst‑targeting prompt injection is expected</strong></li></ul><p>We’ve seen prompt injection in websites and emails, but what about - malware samples? Security researchers SentinelOne recently published an in-depth report on a newly uncovered piece of macOS malware called Gaslight that, as the name suggests, tries to gaslight AI-assisted triage agents into stopping the analysis.</p><p>The malware itself is nothing out of the ordinary: it infects the device by whatever means necessary (usually phishing and social engineering), connects to attacker-controlled infrastructure via Telegram, and then executes different commands such as profiling the device, running arbitrary shell commands, stealing files, or terminating processes. </p><p>It also delivers a stage-two malware that acts as an infostealer, pulling passwords, sensitive PDFs, cryptocurrency wallet information, and more.</p><h2 id="weaponizing-llm-assisted-triage-pipelines">Weaponizing LLM-assisted triage pipelines</h2><p>But where Gaslight stands out is its defenses against <a href="https://www.techradar.com/best/best-ai-tools" target="_blank">AI-powered malware analysis</a>. According to SentinelOne, the malware contains a large block of fake Markdown-formatted "system" messages designed for AI assistants that security researchers may use during reverse engineering. These messages claim things like “the AI's authentication token has expired”, “the analysis environment is running out of memory”, “disk space has been exhausted”, “static analysis is unsafe”, and similar. </p><p>While a human analyst would definitely recognize these fake messages even at a glance, an LLM that isn’t properly isolated from untrusted input could interpret them as genuine system instructions and refuse to further analyze the malware. </p><p>“macOS.Gaslight is noteworthy for its analyst-targeting prompt injection, an attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop,” SentinelOne explains. “Anyone building such tooling should treat the contents of the samples they triage as adversarial input, never as instructions, and be prepared to keep hostile content out of the model entirely. As LLM-assisted analysis becomes routine, defenders should expect more samples built to exploit it.”</p><p>The researchers have published a full list of indicators of compromise on <a href="https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/" target="_blank">this link</a>.</p><p><em>Via </em><a href="https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html" target="_blank"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Edge users beware — this malicious extension can break out of the sandbox and install ransomware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/edge-users-beware-this-malicious-extension-can-break-out-of-the-sandbox-and-install-ransomware</link>
                                                                            <description>
                            <![CDATA[ Hackers found a way to get an Edge extension to do their bidding. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ZW8e2HVDrnR2AMfRNTKep3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/tSejjmrgK46MgdhWqD5miC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 25 Jun 2026 14:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/tSejjmrgK46MgdhWqD5miC-1280-80.jpg">
                                                            <media:credit><![CDATA[Tada Images / Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.]]></media:description>                                                            <media:text><![CDATA[Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.]]></media:text>
                                <media:title type="plain"><![CDATA[Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/tSejjmrgK46MgdhWqD5miC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Zscaler uncovered “Edgecution,” a malicious Edge extension deployed via fake Outlook update sites shared in Teams phishing</strong></li><li><strong>Attack uses ZIP archives with Python runtime to escape browser sandbox, creating a backdoor capable of shell/PowerShell execution and system data theft</strong></li><li><strong>Believed linked to Initial Access Brokers tied to ransomware group Payout Kings, showing evolving sophistication in access‑for‑sale operations</strong></li></ul><p>If you are using the Edge browser be careful - there is a malicious campaign going round that uses the <a href="https://www.techradar.com/best/browser" target="_blank">browser</a> to deploy a backdoor via an extension.</p><p>According to security researchers Zscaler, scammers are reaching out to their victims via Microsoft Teams, pretending to be IT support. They claim the user needs to install an Outlook update, or a spam filter, and direct the victims to a fake “Outlook Updates Management Console” website. </p><p>There, the users are instructed to run one of the three provided processes, all of which download a ZIP archive that, when executed, creates a scheduled task. This task starts the Edge browser in headless mode (invisible to the user) and installs an extension officially called “Edge Monitoring Agent”. Zscaler, on the other hand, calls it “Edgecution”.</p><h2 id="creating-a-native-messaging-manifest">Creating a Native Messaging manifest</h2><p>The ZIP archive also contains an embedded Python runtime and a Python-based <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">backdoor</a>. The runtime creates a Native Messaging manifest - a file that tells the browser how to communicate with the backdoor. That’s the way the threat actors managed to escape the browser’s sandbox and run the backdoor on the compromised computer itself. </p><p>That backdoor can do multiple things, from executing shell commands, to running PowerShell and arbitrary Python code. It can also write files on the host, enumerate running processes, and gather system information. </p><p>Zscaler believes this is the work of an Initial Access Broker (IAB), a malicious group whose only job is to obtain access to a victim’s infrastructure and then sell it - or share it with a partnering group. This particular IAB, the researchers believe, is connected to a ransomware operation called Payout Kings. </p><p>“The Edgecution browser extension illustrates the evolving sophistication of initial access brokers operating in the ransomware landscape,” Zscaler warns. “The reliance on a malicious browser extension to relay commands to a Python-based native host demonstrates a creative approach to evade traditional endpoint detection.”</p><p>A full list of Indicators of Compromise (IoC) can be found on <a href="https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution" target="_blank">this link</a>.</p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/" target="_blank"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Multiple malicious OpenClaw skills found online - including two macOS infostealers ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/multiple-malicious-openclaw-skills-found-online-including-two-macos-infostealers</link>
                                                                            <description>
                            <![CDATA[ Criminals found yet another marketplace to infect and use as a launchpad for malware delivery. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vFgwHmcERf3Dv9c4J9df9G</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/DTZvZXmPaA8zMJoW733ZVa-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Thu, 25 Jun 2026 12:10:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/DTZvZXmPaA8zMJoW733ZVa-1280-80.png">
                                                            <media:credit><![CDATA[Fortune]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Microsoft OpenClaw]]></media:description>                                                            <media:text><![CDATA[Microsoft OpenClaw]]></media:text>
                                <media:title type="plain"><![CDATA[Microsoft OpenClaw]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/DTZvZXmPaA8zMJoW733ZVa-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Palo Alto Networks’ Unit 42 found five malicious “skills” on ClawHub, OpenClaw’s official marketplace, delivering infostealers and fraud</strong></li><li><strong>Threat actors bypassed VirusTotal/ClawScan checks with inflated file sizes and evasive techniques, showing persistent supply chain risk</strong></li><li><strong>All malicious skills were removed and accounts banned; researchers urge strict provenance validation and source code audits for published packages</strong></li></ul><p>ClawHub is the latest marketplace hackers are poisoning with malware, in an attempt to compromise software developers and other advanced users. Earlier this week, security researchers from Palo Alto Networks’ Unit 42 team disclosed finding, and reporting, five “skills” on that marketplace, that sought to infect their users with infostealer <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>. </p><p>First a little context: OpenClaw (originally published as Clawd/Clawdbot) was released in November 2025. It is an <a href="https://www.techradar.com/best/best-ai-tools" target="_blank">open-source agent</a> platform that performs actions on a computer, such as browsing the web, or managing files, instead of simply answering questions like a chatbot. To perform different actions, OpenClaw must first learn how to do them, which is done through “skills” - add-ons that extend the agent’s capabilities.</p><p>Soon after, ClawHub was born - the official marketplace and registry for OpenClaw skills and plugins, attracting not just the AI developer community, but cybercriminals, as well. Early reports, published in February this year, forced OpenClaw to integrate VirusTotal and ClawScan, to better protect the community and allow proactive screening of published skills.</p><h2 id="persistent-and-evasive-malicious-skills">Persistent and evasive malicious skills</h2><p>However, Unit 42 says this didn’t stop threat actors, and that it has since discovered multiple “persistent and evasive malicious skills” on the platform. </p><p>In total, the researchers discovered five skills, including two that delivered the AMOS infostealer, one that came with an inflated file size to trick scanners, and two that were essentially commission fraud, abusing the fact that an AI agent can make decisions and perform actions on behalf of the user. Details on all five can be found on <a href="https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/" target="_blank">this link</a>.</p><p>All five were since reported to ClawHub, and OpenClaw had them removed and the accounts behind them banned. </p><p>Unit 42 recommends organizations use a “rigorous supply chain verification framework” to remain secure: “We identified that skill execution occurs within the agent process. This necessitates active validation of publisher provenance and a line-by-line audit of package source files.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New lightweight, self-propagating crypto stealing malware delivered by USB spotted by Microsoft researchers – Crypto Clipper script-based stealer hunts for vulnerable wallets ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/new-lightweight-self-propagating-crypto-stealing-malware-delivered-by-usb-spotted-by-microsoft-researchers-crypto-clipper-script-based-stealer-hunts-for-vulnerable-wallets</link>
                                                                            <description>
                            <![CDATA[ Microsoft details a newly discovered wormlike infostealer called Crypto Clipper. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">GaqMuUuMNrgQhbzMPLJ9SN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VnoVVXTmAmxSBYBe4LUwVW-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 22 Jun 2026 18:15:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VnoVVXTmAmxSBYBe4LUwVW-1280-80.jpg">
                                                            <media:credit><![CDATA[vjkombajn/Pixabay]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Image credit: Pixabay/vjkombajn]]></media:description>                                                            <media:text><![CDATA[Cryptocurrencies]]></media:text>
                                <media:title type="plain"><![CDATA[Cryptocurrencies]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VnoVVXTmAmxSBYBe4LUwVW-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Microsoft warns of “Crypto Clipper,” a worm spreading via malicious .LNK files on USB drives</strong></li><li><strong>Malware maintains persistence, connects to Tor C2, enables remote code execution, and steals clipboard crypto data</strong></li><li><strong>It swaps wallet addresses, exfiltrates seed phrases/private keys, and uploads screenshots to assess target value</strong></li></ul><p>Microsoft is warning of an ongoing campaign targeting cryptocurrency owners with a clipboard-jacking worm.</p><p>In a new in-depth report published late last week, Microsoft’s security researchers explained that they recently analyzed a thumb drive that contained seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced with Windows shortcut (.LNK) files which actually launched a piece of malware called Crypto Clipper. </p><p>This malware does a couple of things. First, it spreads by creating malicious .LNK files on USB drives and other removable media. It also sets up scheduled tasks to maintain persistence and automatically infect newly connected USB devices. Second, it behaves like a backdoor by regularly contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands to have the malware download and execute attacker-supplied code on the infected system, as well. </p><h2 id="stealing-wallet-data">Stealing wallet data</h2><p>Finally, Crypto Clipper acts as a clipboard clipper by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it spots a wallet address, it can replace it with a different one, owned by the attackers, so that any tokens sent by the victim go to the attacker, instead. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load a victim's crypto wallet on a separate device. </p><p>To help attackers assess the value of a target, the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> periodically captures screenshots of the victim's screen and uploads them through the Tor network.</p><p>“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” Microsoft said. “The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.”</p><p>Microsoft did not say if the malware targeted any specific countries or regions, nor did it discuss the number of victims.</p><p><em>Via </em><a href="https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/" target="_blank"><em>Ars Technica</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Phishing the agent: Why AI guardrails aren’t enough ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/phishing-the-agent-why-ai-guardrails-arent-enough</link>
                                                                            <description>
                            <![CDATA[ AI agents are handed the keys to the kingdom but can't always be trusted. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">mPDZTdxUod2oo3R2JVwV4Q</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/AsscCgZRnWXMPyCxtEfpkK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 22 Jun 2026 13:39:33 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jeremy Kirk ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/AsscCgZRnWXMPyCxtEfpkK-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[An email symbol inside a red square warning sign, surrounded by red triangles with exclamation marks inside them, superimposed on someone typing on a laptop]]></media:description>                                                            <media:text><![CDATA[An email symbol inside a red square warning sign, surrounded by red triangles with exclamation marks inside them, superimposed on someone typing on a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[An email symbol inside a red square warning sign, surrounded by red triangles with exclamation marks inside them, superimposed on someone typing on a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/AsscCgZRnWXMPyCxtEfpkK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.techradar.com/best/best-ai-tools">AI</a> agents are reshaping how enterprises automate work, but their effectiveness depends on access to sensitive systems and data. </p><p>The paradox is that granting them the permissions they want creates new attack surfaces that organizations aren’t yet equipped to handle.</p><p>This is the defining tension of the AI era.</p><p>AI agents are proliferating across enterprises with 91% of organizations already using them yet only 10% have a clear <a href="https://www.techradar.com/best/it-management-tools">IT management</a> strategy in place. </p><p>This gap matters because as these systems grow more autonomous and more deeply embedded in workflows, enterprises are operating without clear visibility, meaningful oversight and control over how their AI agents behave.</p><h2 id="the-access-problem">The access problem</h2><p>Our recent research revealed how agents running on OpenClaw, an <a href="https://www.techradar.com/best/best-open-source-software">open-source</a> AI agent automation platform, could expose credentials and leak sensitive information when attackers compromised the communication channels controlling them.</p><p>To appreciate the scale of this risk, we must first understand the platform itself. OpenClaw combines a chatbot-style interface with access to external tools and <a href="https://www.techradar.com/computing/artificial-intelligence/best-llms">large language models</a>. </p><p>Users can then configure agents to browse the web, read and write files, manage inboxes, execute commands, or interact with other machines. In many cases, they’re designed to operate autonomously with minimal human oversight.</p><p>That level of access is what makes agents powerful, helping many to manage everyday admin and time-consuming tasks. However, this power is a double edged-sword and can make them a risk to businesses.  </p><h2 id="when-agents-become-attack-surfaces">When agents become attack surfaces</h2><p>Agents need access to tools, accounts, applications, the web and more to be useful. Often, this means an agent needs access to secrets: API keys, personal access tokens, credentials, .env files, OAuth tokens. </p><p>The agents/models are by default prompted to be as helpful as possible, and that characteristic starts to pose some particular concerns when it comes to credentials and tokens. If an agent such as OpenClaw can’t access a resource, it will ask for credentials right in the chat, exposing those secrets within the context window. Agents will happily store API keys in their unencrypted configuration files, which information-stealing <a href="https://www.techradar.com/best/best-malware-removal">malware</a> is starting to target. </p><p>Remote access capabilities could effectively create a back door into enterprise environments. If an attacker gained access to the communication channel controlling an agent, such as a <a href="https://www.techradar.com/pro/best-enterprise-messaging-platform">messaging</a> or remote access platform, they could potentially gain access to everything the agent itself could access. In an enterprise context, this is a nightmare. </p><h2 id="the-paradox-of-recognized-risk">The paradox of recognized risk</h2><p>Perhaps the most revealing finding was that some agents recognize risky behavior while simultaneously carrying it out. This underlines how their decision-making ability and autonomous operations can be a business risk. </p><p>In one test, an agent correctly identified that exposing an OAuth refresh token through an unencrypted communication channel represented a serious <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> violation. But it then proceeded to share the token anyway before expressing concern about its own decision.</p><p>Organizations should not rely on the invisible guardrails that frontier model providers put around agents. They’re easily circumvented. </p><p>But an AI agent cannot divulge credentials that it doesn’t have access to. This is why the conversation around AI agent security cannot focus solely on stronger guardrails. Attackers are already finding ways to manipulate agent behavior through prompt injection, social engineering, and compromised communication channels.</p><h2 id="governance-not-just-guardrails">Governance, not just guardrails</h2><p>AI agents are essentially identities within enterprise systems and need to be managed as such. They perform actions and make operational decisions in ways that increasingly resemble human employees or privileged service accounts. Yet many organizations are deploying these systems without applying the same governance standards.</p><p>Most businesses already understand the importance of least-privilege access, audit logging, <a href="https://www.techradar.com/best/best-identity-management-software">identity management</a>, and access reviews for employees. AI agents should be subject to the same principles. That means limiting what agents can access, avoiding long-lived credentials wherever possible, and ensuring sensitive information is stored securely through centralized systems with human oversight. </p><p>Organizations also need visibility into where agents are deployed, what tools they can interact with, and how to disable them quickly if something goes wrong. If an agent goes rogue, there needs to be a “kill switch,” a way to immediately revoke an agent’s access to resources and shut it down.</p><p>Agentic AI systems could deliver major operational upsides, but deploying them without robust identity and access governance introduces significant security risk. As these systems become more deeply embedded across enterprise environments, organizations must stop treating them as experimental tools and start governing them as part of the digital workforce. </p><p>This means managing the full lifecycle of agents, from knowing which agents are deployed, what resources they access to and keeping a full audit trail so no one can say, “I don’t know what happened. The agent did it.”</p><p>There’s no reason why conventional security wisdom, such as the principle of least privilege, lifecycle management and robust logging, should be thrown out in an agentic age. In fact, it’s more relevant than ever.</p><p><em></em><a href="https://www.techradar.com/best/best-cloud-storage"><em>We've tested and reviewed the best cloud storage</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Thousands of D-Link and QNAP NAS routers compromised by fast-moving AryStinger malware that turns unsecured devices into a malicious proxy botnet ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/thousands-of-d-link-and-qnap-nas-routers-compromised-by-fast-moving-arystinger-malware-that-turns-unsecured-devices-into-a-malicious-proxy-botnet</link>
                                                                            <description>
                            <![CDATA[ More than 4,000 routers have been compromised so far, while the number of poisoned NAS devices remains unknown. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">P8KFdsr77m4i24xC9tFPEK</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/2FFajuvJVK8i7Her8gD4aD-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 22 Jun 2026 12:15:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/2FFajuvJVK8i7Her8gD4aD-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard]]></media:description>                                                            <media:text><![CDATA[Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/2FFajuvJVK8i7Her8gD4aD-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>QiAnXin XLab uncovered “AryStinger,” malware exploiting old D-Link/Linksys router flaws (CVE‑2013‑3307, CVE‑2016‑5681) to build a proxy/reconnaissance network</strong></li><li><strong>So far 4,300 routers infected, mostly in South Korea (48%) and China (32%), with QNAP NAS devices also targeted via CVE‑2025‑11837</strong></li><li><strong>Compromised devices enable scanning, tunneling, and covert control; researchers advise monitoring logs, binaries in /tmp/bin, and suspicious processes like </strong><em><strong>syswapd0h</strong></em><strong> or </strong><em><strong>syswapd0w</strong></em></li></ul><p>Cybersecurity researchers QiAnXin XLab are warning about an ongoing campaign to create a distributed reconnaissance and proxy network out of people’s <a href="https://www.techradar.com/news/networking/routers-storage/best-router-9-top-wireless-routers-on-test-1090523" target="_blank">routers</a> and NAS devices. </p><p>The campaign targets outdated and unsupported routers (mostly D-Link and Linksys), powered by Realtek’s RTL819X chips which were a popular choice between 2012 and 2015. The attackers are leveraging two (ancient) vulnerabilities, CVE-2013-3307 in Linksys models and CVE-2016-5681 in D-Link ones, to infect the devices with a previously undetected piece of malware called AryStinger.</p><p>According to the researchers, AryStinger is used during the reconnaissance and planning stages of a more serious cyberattack. Devices infected with this malware can scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, all while hiding the location (and true identity) of the attackers.</p><h2 id="targeting-nas-devices">Targeting NAS devices</h2><p>“Once compromised by malware like AryStinger that possesses reconnaissance and covert control capabilities, it is equivalent to a hacker placing a permanent "invisible listening device" and "attack springboard" within your network,” the researchers said.</p><p>QiAnXin’s XLab says that So far, AryStinger infected 4,300 routers, but stresses that this is not the final number and with the campaign ongoing, will rise even more.</p><p>The majority of the victims are located in South Korea (48%) and China (32%), with notable mentions being Sweden, Malaysia, and Singapore. </p><p>AryStinger also targets QNAP’s <a href="https://www.techradar.com/news/the-10-best-nas-devices-reviewed" target="_blank">NAS devices</a>, leveraging a code injection flaw in the device’s Malware Remover. This flaw, tracked as CVE-2025-11837, was first discovered during last year’s Pwn2Own event, and was patched in November 2025. The researchers don’t know how many of these devices are currently infected, and say the 4,300 figure only relates to routers.</p><p>The researchers did not attribute this attack to any particular threat actor.</p><p>To defend against AryStinger, the researchers recommend monitoring the logs for any outbound connections to the C2 and download domains (found <a href="https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/" target="_blank">here</a>), checking /tmp/bin for unrecognized binaries, and looking for processes named syswapd0h or syswapd0w.</p><p><em>Via </em><a href="https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html" target="_blank"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'This creates a misleading impression of safety': Experts warn of hackers hijacking legitimate news websites and reviews to drum up publicity ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/this-creates-a-misleading-impression-of-safety-experts-warn-of-hackers-hijacking-legitimate-news-websites-and-reviews-to-drum-up-publicity</link>
                                                                            <description>
                            <![CDATA[ Fake reviews, news articles, and GitHub accounts are a potent mix for promoting malware. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Xo8Z9cRdozJkgXcf8ntiQT</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/y7GLevUTEjLYdujEYsv668-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 Jun 2026 15:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/y7GLevUTEjLYdujEYsv668-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Back view of hooded internet criminal hacking laptop in the dark, stealing credit card details]]></media:description>                                                            <media:text><![CDATA[Back view of hooded internet criminal hacking laptop in the dark, stealing credit card details]]></media:text>
                                <media:title type="plain"><![CDATA[Back view of hooded internet criminal hacking laptop in the dark, stealing credit card details]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/y7GLevUTEjLYdujEYsv668-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Check Point Research uncovers PR‑style campaign distributing a Rust clipboard hijacker disguised as legitimate software</strong></li><li><strong>Attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels, and even newswire press releases to boost credibility</strong></li><li><strong>Malware swaps crypto wallet addresses from clipboard, with “Ghost Networks” manipulating reputation systems to evade detection</strong></li></ul><p>Hackers have launched a fully fledged, multi-platform PR campaign to trick people into thinking that the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> they’re distributing is actually legitimate software, experts have warned.</p><p>A report from Check Point Research warned that even those doing regular due diligence might get tricked. </p><p>At the center of the campaign is a clipboard jacker - a piece of infostealer malware that monitors the victim’s clipboard for <a href="https://www.techradar.com/news/best-bitcoin-wallets" target="_blank">cryptocurrency wallet</a> strings. When it detects one, it replaces it with a different one belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers instead. Both Windows and macOS users are at risk.</p><h2 id="abusing-newswire-sites">Abusing newswire sites</h2><p>“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said. </p><p>“A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.”</p><p>To distribute the malware, the attackers ran a rather aggressive PR campaign: they set up a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising part is distributing news articles through newswire sites.</p><p>Newswire sites are services that distribute company press releases and announcements to media outlets, journalists, websites, and investors. Most newswire services allow anyone to submit and distribute press releases, usually for a fee, but they are generally seen as a legitimate source of trustworthy news.</p><p>At the same time, the hackers went the extra mile to make sure the clipboard jacker isn’t flagged as malware. By using numerous fake accounts (so called “Ghost Networks”) they’re manipulating reputation-driven systems like VirusTotal, tricking researchers and potential users into thinking the programs are a false positive. </p><p>“Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims,” the researchers concluded. “Instead, they can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to lower suspicion and attract more users.”</p><p><em>Via </em><a href="https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html" target="_blank"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The enemy within: how to stop a simple Teams message taking down your business ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/the-enemy-within-how-to-stop-a-simple-teams-message-taking-down-your-business</link>
                                                                            <description>
                            <![CDATA[ How to overcome attackers that impersonate IT support in chat and gain access to M365 tenants. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">LLSHcZ7EGwtvW3RAZvpTiX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/9WT9t3hZhDVD84bF8rSypL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 Jun 2026 09:01:52 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Andrea Sivieri ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/9WT9t3hZhDVD84bF8rSypL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A line of robots typing at computers]]></media:description>                                                            <media:text><![CDATA[A line of robots typing at computers]]></media:text>
                                <media:title type="plain"><![CDATA[A line of robots typing at computers]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/9WT9t3hZhDVD84bF8rSypL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft recently warned that attackers are impersonating IT <a href="https://www.techradar.com/best/best-helpdesk-software">help desks</a> on Teams to gain access – and if that sounds bad, well, it’s just the opening move. </p><p>The attack begins when an employee gets a message from an external user claiming to be part of the company’s third-party IT support. A common-enough setup, and the kind of thing you might expect in a normal working day. </p><p>Perhaps the employee is expecting a similar message for an outstanding ticket – and so they engage with the user and, when prompted, grant remote access.</p><p>Once attackers have that foothold, they can progress to execute a full tenant lockdown using only Microsoft's own legitimate features, without ever deploying traditional ransomware. It won’t look like <a href="https://www.techradar.com/best/best-malware-removal">malware</a>, and that means traditional defense systems won't catch it. </p><p>A real-time chat in a sanctioned <a href="https://www.techradar.com/best/best-online-collaboration-tools">collaboration tool</a>, with a plausible IT support pretext is hard for busy employees to spot. For hackers, it’s a simple way to gain access to privileged and confidential data. </p><p>All they need is a few user-approved clicks and they have gained access to Quick Assist, registry persistence, lateral movement across the victim's environment and eventual data exfiltration over HTTPS. All without triggering suspicion.  </p><p>Data theft is just the opening move. Once attackers have privileged access through this kind of social engineering, the same foothold opens the door to full tenant ransom scenarios. Attackers can encrypt OneDrive and SharePoint content at scale, locking legitimate administrators out of the tenant by hijacking Global Admin accounts and conditional access policies. </p><p>They can hijack native M365 features like sensitivity labels to render data inaccessible.</p><h2 id="hoist-by-your-own-petard">Hoist by your own petard</h2><p>IT decision makers may believe they're covered against this kind of theft or lockout because they have <a href="https://www.techradar.com/best/best-ransomware-protection">ransomware</a> protection in place, but the reality is that many are more exposed than they know. </p><p>This attack class is effectively invisible to standard <a href="https://www.techradar.com/news/best-endpoint-security-software">endpoint protection software</a>, because the encryption that locks companies out of their critical data is performed by Microsoft's own features, not malicious code. </p><p>Hang on, you might say – in that case, isn’t this an easy fix? Don’t I just log in myself and un-encrypt the data? Sadly, the solution is anything but straightforward. Recovery from a full tenant takeover can take weeks and often requires direct Microsoft intervention. </p><p>During that period of time, critical business activities are likely to be disrupted or even halted completely, leading to potentially major financial and reputational losses.</p><p>Overall, the <a href="https://www.techradar.com/best/best-microsoft-teams-alternatives">Microsoft Teams</a> help desk impersonation attack works because it weaponizes the trust organizations put in systems like Microsoft 365. That level of often-blind trust puts organizations at risk, because native M365 controls were built for administration, not for resilience against real-time social engineering.</p><h2 id="building-360-protection-for-365">Building 360 protection for 365</h2><p>Clearly, the risk posed by this kind of social engineering attack is significant. It highlights the fact that Microsoft 365 has become critical infrastructure that demands a dedicated operational control plane, not just admin tooling. Businesses cannot simply plug, play, and walk away, hoping the system will protect itself. They need to have a deep level of insight into what’s going on across their tenant, who has access, and whether anything unusual or suspicious is taking place.</p><p>As a result, visibility into privileged role assignments, configuration drift, and admin activity in real time is no longer optional. It's the difference between a contained incident and a business-stopping event. </p><p>Organizations need an operating layer that provides that continuous visibility across thousands of configuration attributes and follows a least-privilege administration protocol. Spotting configuration drift, privilege changes, and anomalous activity is only possible when you know what 'normal' looks like, and that requires years of telemetry across complex, real-world tenants. </p><p>This approach can help build in tenant resilience within the Microsoft 365 environment, reducing the damage that a single human slip can cause, and ringfencing malicious access quickly after a breach.</p><p>Another key consideration is the introduction of next-gen technology to improve defensive intelligence, speed, and granularity. An AI-enabled operating layer can surface anomalous configuration drift and privilege changes the moment they happen, not days later in a log review. </p><p>By drawing on proprietary tenant context - permissions, role assignments, configuration history, and behavioral baselines built from millions of real-world events - AI can surface malicious activity that generic tooling would miss entirely. </p><p>In cases like these, a rapid response is crucial. The quicker controllers are alerted to the danger, and the quicker entry is revoked for the suspicious user, the lower the chance of either a data breach or a lockout.</p><p>At root, the Teams attack exploits the oldest <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> risk in the book: human error. No organization's staff are error-proof, which means additional defensive help is required to preserve the integrity of critical M365 tenants. </p><p>In reality, the addition of a powerful, intelligent control layer is the only way businesses can prevent a single approved remote session from escalating into domain-wide compromise.</p><p><em></em><a href="https://www.techradar.com/pro/best-active-directory-documentation-tool-of-year"><em>We feature the best Active Directory documentation tools</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Gamers beware — experts flag Steam Workshop is being abused to spread malware via Wallpaper Engine app ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/gamers-beware-experts-flag-steam-workshop-is-being-abused-to-spread-malware-via-wallpaper-engine-app</link>
                                                                            <description>
                            <![CDATA[ Even a wallpaper can carry a virus these days, so be careful what you're downloading. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">B3V2m3Yxk6tVMC8s5Vf7DG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ijYNM9nFwBzeyTVPTzBdBj-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 17 Jun 2026 17:15:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ijYNM9nFwBzeyTVPTzBdBj-1280-80.jpg">
                                                            <media:credit><![CDATA[Wallpaper Engine]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Wallpaper Engine app, available on Steam.]]></media:description>                                                            <media:text><![CDATA[Wallpaper Engine app, available on Steam.]]></media:text>
                                <media:title type="plain"><![CDATA[Wallpaper Engine app, available on Steam.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ijYNM9nFwBzeyTVPTzBdBj-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Kaspersky found Steam Workshop wallpapers weaponized to deliver malware via Wallpaper Engine</strong></li><li><strong>Dozens of malicious “application wallpapers” downloaded tens of thousands of times, spreading backdoors, infostealers, miners, and ransomware</strong></li><li><strong>Valve removed the infected uploads, but users warned attackers could easily re‑upload new ones</strong></li></ul><p>Steam Workshop, a community platform built into Steam that allows users to share custom content, was being used to infect gamers with malware, researchers have claimed.</p><p>For at least half a year, gamers that used the platform to download certain wallpapers were being served various malware, Kaspersky recently explained.</p><p>This campaign has been running since at least late 2025, Kaspersky said - with some sources noting the majority of the victims are in <a href="https://cyberinsider.com/steam-workshop-hosts-wallpapers-with-account-stealing-malware/" target="_blank">Russia and China</a>.</p><h2 id="dozens-of-malicious-wallpapers">Dozens of malicious wallpapers</h2><p>Steam is a hugely popular digital distribution platform for PC games, developed by a company called Valve. Baked into it is Workshop, a community tool where gamers can share mods, maps, skins, wallpapers, and other add-ons for games and applications.</p><p>Among other things, Steam Workshop allows gamers to use Wallpaper Engine, a desktop customization application that supports more than just “static” image wallpapers. With it, gamers can have videos, interactive animations, and even entire applications, displayed as a wallpaper.</p><p>And that is where the problem lies - hackers have been using application wallpapers as delivery mechanisms for different <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>, including backdoors and cryptojackers.</p><p>"We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times," Kaspersky said.</p><p>Looking deeper into the weaponized wallpapers, Kaspersky found that the malware is often either bundled in the package, or delivered inside a password-protected archive. The payload itself gets executed automatically the moment the user installs the wallpaper, it was said. In one example, Kaspersky was served a backdoor, and in another, an infostealer. Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains, were all being distributed this way. </p><p>Kaspersky disclosed its findings only after Steam identified and removed all of the malicious wallpaper applications. However, users should approach with caution, because there’s nothing stopping the threat actors from simply uploading new ones.</p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app/" target="_blank"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Why security leaders are cautious about agentic AI ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/why-security-leaders-are-cautious-about-agentic-ai</link>
                                                                            <description>
                            <![CDATA[ Agentic AI can improve security operations, but only with strong oversight and real context. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">6PsQPF8bBKTztASxR92V6W</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 17 Jun 2026 10:58:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Howie Koh ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg">
                                                            <media:credit><![CDATA[Thapana Onphalai via Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:description>                                                            <media:text><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:text>
                                <media:title type="plain"><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Agentic AI is everywhere in <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> right now, but it often feels like everyone is using the term slightly differently. </p><p>Vendors are quick to mention it, yet rarely stop to explain what it actually means in practice or what problem it’s meant to solve. </p><p>For security leaders, that makes it a difficult space to navigate, especially when expectations are high but clarity is still catching up.</p><p>At its core, agentic AI describes a goal-oriented system of multiple agents that can act, sometimes autonomously, towards an outcome. That is a concept, not a cybersecurity result. </p><p>In software development, the value is more straightforward. Multiple agents can collaborate to write, test, and improve code. In cybersecurity, the environment is far more fragmented. </p><p>Tools span <a href="https://www.techradar.com/news/best-endpoint-security-software">endpoint</a>, network, identity, cloud, vulnerability management, and response. If agentic AI is limited to a single vendor’s ecosystem, it cannot deliver meaningful outcomes. It simply operates within another silo.</p><h2 id="the-challenge-of-fragmented-security-environments">The Challenge of Fragmented Security Environments</h2><p>The cybersecurity industry has long talked about platformization, but in practice many platforms have become larger collections of disconnected capabilities. This is where many early implementations fall short. </p><p>Instead of transforming workflows, they provide a chat interface that allows operators to query multiple systems. While this may improve usability, it actually increases cognitive load. </p><p><a href="https://www.techradar.com/news/best-internet-security-suites">Security</a> teams need to know what the platform is capable of, ask the right questions, interpret results, correlate findings, and decide on actions.</p><h2 id="why-caution-is-justified">Why Caution Is Justified</h2><p>Security leaders are right to approach agentic AI carefully. The market is full of bold claims about autonomous systems that can solve complex problems without human input. In reality, most of these systems are far from that level of capability. </p><p>Without expert level instruction, agentic systems cannot operate autonomously in a reliable way. Many current solutions depend on users crafting prompts and interpreting outputs. </p><p>Transparency is another concern. If a vendor cannot clearly explain how their system works, what data it uses, and where human oversight applies, it is difficult to trust the outcomes. In security operations, where decisions can have direct business impact, that lack of clarity is unacceptable.</p><h2 id="the-role-of-guardrails-and-human-oversight">The Role of Guardrails and Human Oversight</h2><p>Effective agentic AI in cybersecurity must include strong guardrails and human-in-the-loop control. Security teams can use AI to accelerate investigation, analysis, and prioritization, but final decisions must remain with people.</p><p>Actions need to be explainable, traceable, and auditable. Security leaders must be able to understand why a recommendation was made and what evidence supports it. Without that, trust quickly breaks down.</p><p>The goal is not to remove humans from the process, but to give them better information faster and reduce the number of manual steps required to reach a decision.</p><h2 id="planning-past-the-hype-cycle">Planning Past the Hype Cycle</h2><p>The industry is already moving beyond early experimentation. Agentic workflows are beginning to reshape how security operations function. In some cases, they will reduce the need for traditional orchestration approaches as <a href="https://www.techradar.com/best/best-bi-tools">intelligence</a> becomes embedded directly in investigation and response.</p><p>At the same time, new models, like Mythos, are emerging that can assess vulnerabilities and provide deeper insight into risk. These developments will challenge tools that rely heavily on static analysis or periodic assessments.</p><p>Mythos has transformed the vulnerability detection space and we’re starting to see disruptive volumes of findings. But, what happens 12 months from now after the number of findings plateau? How will your agentic tools detect misconfiguration or poor posture and take remediation action for those vulnerabilities that did not get patched? </p><p>That’s where the real test begins. Agentic AI offering lasting value should move beyond discovering issues to continuously identifying root causes, detecting drift in posture or configuration, and guiding remediation over time.</p><h2 id="what-good-looks-like-in-practice">What Good Looks Like in Practice</h2><p>When implemented correctly, agentic AI can deliver meaningful benefits. Consider a <a href="https://www.techradar.com/best/best-ransomware-protection">ransomware</a> incident. Instead of requiring an analyst to manually investigate across multiple tools, an agentic system could connect events across endpoint, network, and identity data.</p><p>It could identify that <a href="https://www.techradar.com/best/best-malware-removal">malware</a> execution is linked to a disabled protection control, trace lateral movement attempts, and highlight indicators of compromise. All of this information can be presented as a clear, evidence based narrative.</p><p>Rather than sorting through alerts, the analyst is given a concise understanding of what happened, why it matters, and what actions can be taken. This might include isolating affected systems or restricting access to contain the threat.</p><h2 id="reducing-noise-and-improving-decision-making">Reducing Noise and Improving Decision Making</h2><p>One of the biggest challenges in security operations is the volume of alerts. Agentic AI has the potential to improve the signal to noise ratio by correlating data and focusing attention on what truly matters.</p><p>By combining evidence from multiple sources, it can escalate only the most critical issues and provide clear reasoning behind those decisions. This allows teams to respond more quickly and with greater confidence.</p><p>Today, many investigations take hours or even days. By automating key steps, agentic AI can reduce that time significantly, helping teams keep pace with fast moving threats while reducing burnout.</p><h2 id="what-to-prioritize">What to Prioritize</h2><p>Security leaders need to separate <a href="https://www.techradar.com/best/best-online-marketing-services">marketing</a> claims from real capability. Many vendors promote AI, but few are using it to fundamentally improve how security work is done. The focus should be on solutions that reduce detection and response time and improve operational efficiency.</p><p>Strong solutions are grounded in real data. They rely on tools that directly observe activity across endpoint, network, identity, and cloud environments. This data provides the foundation for accurate analysis and decision making.</p><p>Equally important is the ability to take action. Systems that only generate alerts or tickets add friction. The most valuable platforms enable teams to act within the same workflow, whether that means isolating devices, enforcing policies, or guiding response actions.</p><h2 id="a-practical-path-forward">A Practical Path Forward</h2><p>Not all consolidation is beneficial. Security teams should avoid solutions that add noise without improving clarity.</p><p>They should also be cautious of systems that rely heavily on open ended prompts. These interfaces often shift the burden onto the user, forcing them to determine what questions to ask and whether the system can answer them.</p><p>Security leaders should avoid AI that produces unreliable or unsupported outputs. Effective agentic AI must be grounded in repeatable workflows and supported by verifiable evidence.</p><p>Agentic AI has potential to improve cybersecurity operations, but only when it is applied thoughtfully. The goal is not full automation, but meaningful augmentation of human expertise.</p><p>CISOs should adopt a measured approach. Invest in solutions that provide clear value today, maintain governance and oversight, and build toward greater capability over time. By focusing on outcomes rather than hype, security leaders can take advantage of agentic AI without introducing unnecessary risk.</p><p>Success will come from using AI to make security teams faster, more informed, and more effective while keeping humans firmly in control of decisions that matter most.</p><p><em></em><a href="https://www.techradar.com/best/best-identity-management-software"><em>We rank the best identity management software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ How can businesses respond to the next generation of AI? ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/how-can-businesses-respond-to-the-next-generation-of-ai</link>
                                                                            <description>
                            <![CDATA[ As AI lowers the barrier of entry for cybercriminals, the baseline for defense must too rise. Anthropic AI’s Mythos model is a wake-up call. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">oBx4EhWdCXxB5edqsUjUvE</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/mfPaYGQmks2VALWFFBnSej-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 17 Jun 2026 07:14:25 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sujatha S Iyer ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/mfPaYGQmks2VALWFFBnSej-1280-80.jpg">
                                                            <media:credit><![CDATA[Blue Planet Studio/Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A robot hand touching a locked digital shield blocking a human from accessing data]]></media:description>                                                            <media:text><![CDATA[A robot hand touching a locked digital shield blocking a human from accessing data]]></media:text>
                                <media:title type="plain"><![CDATA[A robot hand touching a locked digital shield blocking a human from accessing data]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/mfPaYGQmks2VALWFFBnSej-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>As AI models continue to evolve, including newer systems such as Claude Mythos, conversations around their impact on cybersecurity are becoming more common. </p><p>While headlines can sometimes overstate the risks, the broader reality is that increasingly capable <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> may also make cyberattacks more sophisticated and accessible. </p><p>For UK businesses, this is a reminder that cyber resilience isn’t just an AI issue. </p><p>It’s a priority which requires board-level attention. </p><p>As AI lowers the barrier of entry for cybercriminals, the baseline for defense must rise too.  </p><h2 id="ai-s-impact-on-cybercrime">AI’s impact on cybercrime </h2><p>AI has turbocharged the arsenal of cyber-attackers. For instance, sophisticated tools can enable fraudsters to launch large-scale identity attacks via methods such as deepfake images, document spoofing, and synthetic identities.  </p><p>These technologies are all scalable and automated which means the speed of compromise has narrowed from days to minutes. Hacks are often happening faster than organizations can respond. And increasingly accessibility to the technology means it can be weaponized by anyone. </p><p>It is important to stress that while this paints a bleak picture, the same technology can be leveraged by organizations to detect anomalies and strengthen <a href="https://www.techradar.com/best/best-identity-management-software">identity management</a>. But as these technologies continue to evolve, organizations can no longer rely on traditional fraud detection methods.  </p><h2 id="the-shift-from-reactive-to-pre-emptive">The shift from reactive to pre-emptive  </h2><p>Many organizations are still following yesterday’s security methods to deal with today’s threats. A reactive <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> approach is no longer enough in an era where AI driven attacks are accelerating and expanding the attack surface. </p><p>That doesn’t mean businesses shouldn’t have a recovery strategy: having a plan in place to detect attacks and respond to incidents is still key. But prevention and prediction are now the name of the game. </p><p>Businesses should focus on building an approach which shifts the focus of security teams from detection and response to prevention. This includes using technology such as AI to anticipate threats and focus on validating security control. This prevents attackers from exploiting vulnerabilities and enables continuous testing and verification of methods.  </p><p>Traditional perimeter-based approaches are no longer sufficient when threats are becoming more adaptive and intelligent. Instead, organizations need to prioritize continuous <a href="https://www.techradar.com/best/best-network-monitoring-tools">network monitoring</a>, identity-first security, and rapid incident response capabilities that can keep pace with AI-driven threats. </p><p>Failure to do so means that businesses risk major security incidents, financial losses, and competitive disadvantage. </p><h2 id="strengthening-cyber-hygiene-at-every-level">Strengthening cyber hygiene at every level </h2><p>The cyber resilience of businesses also depends on strengthening cyber hygiene at every level. Even the most advanced tools can be undermined by poor <a href="https://www.techradar.com/best/best-patch-management-tools">patch management</a> or lack of employee awareness. </p><p>Training and development are crucial for employees to acquire the necessary skills to utilize AI effectively and explore new opportunities. Businesses should also focus on continually educating their employees on the secure usage of generative AI systems.  </p><p>This should be alongside <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity </a>training – such as helping employees at all levels to identify the tell-tale signs of AI-driven attacks. And implementing strong password policies is also crucial.  </p><p>It’s also critical to focus on periodic patching of endpoints. The first level of <a href="https://www.techradar.com/best/best-malware-removal">malware</a>, <a href="https://www.techradar.com/best/best-ransomware-protection">ransomware</a>, and phishing-based attacks often happens on an endpoint. Here, AI is a friend rather than a foe: AI-driven security decisions, continuous risk assessment, and platform-level integration help to protect endpoints. </p><h2 id="the-key-takeaway">The key takeaway </h2><p>New cybersecurity risks, the growing influence of AI, and the expectations of clients and regulators all means that UK businesses need to supercharge their cyber approach. Not only can a comprehensive and effective recovery plan help business bounce back with minimal impact - but it’s cheaper than paying the price of a breach. </p><p>Looking to the future, the evolution of AI – including ever-improving agents - will pose new threats to businesses. Organizations should rethink their approaches, with a traditional response driven strategy no longer sufficient when threats are becoming more adaptive and intelligent. Instead, a preemptive security model can enable them to keep pace with AI-driven threats. </p><p>It’s also worth remembering that AI can be used to play a role in protecting businesses. Mozilla tested Mythos on its Firefox browser and found 271 flaws. It was able to fix them. It’s encouraging that these flaws were ones that could have been found by a human researcher – and that the AI was able to discover them quickly and at scale. </p><p>While these AI tools should encourage organizations to rethink their assumptions about threat actors, their powers can also be used for good.</p><p><em></em><a href="https://www.techradar.com/best/best-antivirus"><em>We've reviewed and rated the best antivirus software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ In the age of AI-based threats, zero-trust is no longer enough ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/in-the-age-of-ai-based-threats-zero-trust-is-no-longer-enough</link>
                                                                            <description>
                            <![CDATA[ The emergence of AI-based threats means zero-trust is no longer strong enough to tackle these alone. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ndXZWkWw5QiWNAUqJEmtKc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/JpXukHGqkZ8gapEzDQNqRW-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 16 Jun 2026 14:21:15 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dr. Lyron Andrews ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/JpXukHGqkZ8gapEzDQNqRW-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock / ZinetroN]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Nytt DDoS-rekord]]></media:description>                                                            <media:text><![CDATA[Concept art representing cybersecurity principles]]></media:text>
                                <media:title type="plain"><![CDATA[Concept art representing cybersecurity principles]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/JpXukHGqkZ8gapEzDQNqRW-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>As AI-based threats continue to dominate the conversation around security, it’s no surprise that half (50%) of organizations are on track to adopt zero-trust data governance by 2028. In the past few years, zero-trust has become the cornerstone of modern <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> strategy – but the emergence of AI means it’s no longer strong enough to tackle rapidly developing AI-based threats alone.</p><p>As AI threats continue to rise, CISOs are challenging the misconception that zero-trust architecture (ZTA) is a one-size-fits-all solution which can give organizations peace of mind, and means they don’t need to worry about security. Instead, they are focused on maximizing ZTA’s capabilities while also recognizing its shortcomings and where additional forms of security are necessary.</p><p>Some professionals argue that <a href="https://www.techradar.com/best/ztna-solutions">zero trust</a> is nothing more than OAuth, but in reality ZTA is far more comprehensive and is a strategic framework, not just a protocol. With deepfake fraud attempts rising 94% year-on-year and attack surfaces expanding, ZTA is more important than ever, but AI-backed attacks growing by almost 100% in 2025 means that other forms of security are also necessary.</p><p>ZTA can strengthen cybersecurity by continuously assessing access, but it cannot fully prevent insider attacks, software vulnerabilities or physical security breaches. As AI learning models advance in their capabilities to enter systems unnoticed, a variety in security protocols are needed to challenge it.</p><h2 id="why-the-protection-doesn-t-change-regardless-of-the-threat">Why the protection doesn’t change, regardless of the threat</h2><p>Traditional cybersecurity models, including ZTA, were designed around predictable human behavior and manually executed attacks, but the rise of AI-powered systems means that speed and scale of attacks has changed significantly.</p><p>ZTA-based security systems were built and implemented at a time when the biggest threat to security was human threat actors entering systems to download <a href="https://www.techradar.com/best/best-malware-removal">malware</a> onto them. This is timely and very manual, with threat actors trying lists of passwords to enter systems or sending phishing emails. AI-driven autonomous systems can operate independently, so while the core principles of security remain unchanged, the methods used to implement them must evolve to address the threats these systems face.</p><p><a href="https://www.techradar.com/news/best-internet-security-suites">Internet security</a> systems still depend on protecting attack surfaces, which are consistently expanding due to the introduction of new pathways for autonomous decision-making and machine-to-machine interaction. AI systems require more connectivity compared with manual ones, creating more opportunities for agents to exploit vulnerabilities both intentionally and accidentally.</p><p>Natural <a href="https://www.techradar.com/best/best-language-learning-apps">language</a> itself is also an attack surface, with AI systems accepting ambiguous instructions without questioning their context or intention. This means attackers can manipulate systems through emails, messages and hidden text, creating new attack surfaces and making AI agents far more vulnerable to attacks than traditional systems, which require detailed code inputted by a skilled developer to operate.</p><p>Human-in-the-loop controls are crucial for natural-language based attacks, with systems unable to distinguish between suspicious or correct prompts. Maintaining human controls over security measures, even those that are largely automated, ensures that attacks which use natural language or hidden context can be identified.</p><h2 id="a-measurable-approach-to-security-minimizes-blast-radius">A measurable approach to security minimizes blast radius</h2><p>ZTA minimizes an attacker’s ‘blast radius’ by assuming that no user or device should be inherently trusted, even once initial access has been granted. It prevents threat actors from moving across systems, meaning that should a compromise happen, the attacker will struggle to reach sensitive systems or escalate privileges without permission.</p><p>AI accelerates attack attempts, scanning environments continuously and testing permissions automatically. It can adapt strategies in real time, changing methods of attack and discovering system weaknesses much faster than humans can through manual searches. AI attacks increasingly exploit layers including workflows and agent-to-agent interactions, changing the fundamentals of what is required of ZTA systems.</p><p>As a result, ZTA systems must evolve beyond static identity and <a href="https://www.techradar.com/news/best-access-control-systems">access controls</a> to continuously monitor interactions between autonomous agents, responding dynamically to abnormal activity in real time and shifting zero-trust from a user-focused model to one capable of governing machine-to-machine ecosystems.</p><p>By using quantifiable data and continuous evaluation, cybersecurity teams can determine whether newly implemented controls are effective, turning security systems into an evidence-based process.</p><h2 id="misconceptions-around-zta-can-lead-to-heightened-security-threats">Misconceptions around ZTA can lead to heightened security threats</h2><p>Many experts believe that ZTA means AI can be deployed safely without additional security controls. ZTA reduces certain categories of risk but does not guarantee total safety once AI has entered a system, or has been built into internal workflows.</p><p>Zero-trust was built around human identity, and focuses on verifying who a user is, whether they are acting unusually and if their device is compliant. But AI-based threats can enter systems successfully using false biometrics or by guessing passwords, or may have been given access to a system previously to automate tasks.</p><p>An authorized AI agent can leak sensitive data or misuse the tools it already has access to without ever alerting ZTA that something is wrong. In order to use ZTA accurately, cybersecurity professionals must avoid overconfidence in its ability to ensure that AI systems behave safely or truthfully once access is granted.</p><h2 id="diversifying-security-defenses-against-ai-driven-threats">Diversifying security defenses against AI-driven threats</h2><p>Alongside ZTA, organizations must also implement additional tools to protect against attacks - systems that ensure that AI is not left unsupervised to make its own decisions without interference. AI systems continuously evolve, with models updating regularly, meaning organizations need strict governance processes and safety benchmarking to become a permanent part of security, not just occasional checks every few weeks or months.</p><p>As threats continue to diversify and evolve, security needs to do the same, and one-size-fits-all systems are quickly becoming a thing of the past. For CISOs, a multi-pronged approach can keep their organizations safe and prevent various different types of attacks. Combining approaches including ZTA, threat intelligence and human-in-the-loop can create overlapping layers of protection that reduce single points of failure.</p><p>Mature ZTA implications make access decisions dynamically using contextual factors, allowing systems to continuously evaluate risk and limit lateral movement even if credentials are compromised. Agentic AI does not render ZTA useless, but its autonomous behavior means ZTA systems need to become more context-aware and adaptive in order to govern machine-drive interactions in real time.</p><p><em></em><a href="https://www.techradar.com/best/best-patch-management-tools"><em>We feature the best patch management software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Why your help desk is still your biggest security risk ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/why-your-help-desk-is-still-your-biggest-security-risk</link>
                                                                            <description>
                            <![CDATA[ Help desks are your biggest security risk. AI fuels identity's critical vulnerability. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iwfL78WFPbwvp3oM6SzY3B</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 15 Jun 2026 10:23:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Greg Nelson ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:description>                                                            <media:text><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:text>
                                <media:title type="plain"><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>When MGM Resorts suffered a crippling cyberattack in 2023, forensic teams expected to find sophisticated <a href="https://www.techradar.com/best/best-malware-removal">malware</a> or a zero-day exploit. Instead, they discovered something far simpler: an attacker called the help desk, impersonated an employee, and was handed the keys to the kingdom. Marks & Spencer and Harrods fell victim to similar attacks in 2025. </p><p>This pattern reveals a harsh reality – organizations spend millions hardening networks and endpoints while leaving identity, their most vulnerable entry point, completely exposed.</p><p>What's changed is not that help desks are vulnerable. <a href="https://www.techradar.com/news/best-internet-security-suites">Security</a> teams have known this for years. What's new is the convergence of two forces that have turned a known weakness into an urgent crisis.</p><p>Help desks make sure that locked-out <a href="https://www.techradar.com/best/best-employee-scheduling-software">employees</a> can get back to work as quickly as possible. However, the pressure to restore productivity creates an environment where speed often trumps security.</p><p>The typical interaction follows a predictable path: the caller provides basic identifying information, explains why they need access, and receives credentials. For an attacker who has done minimal reconnaissance on LinkedIn or company websites, this is trivial to replicate.</p><p>This attack vector is particularly dangerous because it bypasses most security controls like firewalls, endpoint detection, and network monitoring. These measures are blind to an attacker who talks their way through the front door with legitimate credentials issued by your own staff.</p><h2 id="why-this-old-problem-demands-new-urgency">Why this old problem demands new urgency</h2><p>Artificial intelligence has lowered the barrier for social engineering attacks. An attacker just needs the right tools and basic information to create real damage. The U.S. Department of Health and Human Services has warned that adversaries are using AI voice impersonation to target hospital help desks.</p><p>Accelerated by AI, phishing and spoofing scams increased by over 85%, and the average financial losses have more than doubled from $1,000 to $2,060.</p><p>At the same time, most organizations have embraced zero-trust principles for network access while performing perfunctory security checks to check help desk interactions. An employee accessing a file server goes through multiple verification steps.</p><p>An unknown caller asking the help desk to reset that same employee's <a href="https://www.techradar.com/best/password-generator">password</a> may face nothing more than security questions with answers easily found online.</p><h2 id="three-best-practices-for-help-desk-security">Three best practices for help desk security</h2><p>The most common pushback to strengthening <a href="https://www.techradar.com/best/best-helpdesk-software">help desk</a> security is operational. What happens when an executive loses their phone while traveling? What if an employee legitimately cannot access their registered device?</p><p>The answer is tiered response protocols combined with three interconnected controls that close the help desk vulnerability gap:</p><p><strong>1. Harden identity operations</strong>. Every access request should trigger the same verification standards. Multi-factor authentication cannot be optional or easy to bypass.</p><p>Implement passwordless, phishing-resistant authentication methods using industry standards. However, even passwordless systems can be compromised if credential recovery and enrollment processes remain vulnerable to social engineering.</p><p>Security questions based on static information should be replaced with dynamic verification that is harder to research or guess. Conduct regular identity governance reviews to eliminate stale accounts and ensure no identity has more access than necessary.</p><p><strong>2. Tie device enrollment to identity. </strong>When you reset credentials or restore access, verify that the receiving device belongs to the legitimate user. Device-bound passkeys cryptographically tie <a href="https://www.techradar.com/best/best-authenticator-apps">authentication</a> to a specific physical device and cannot be synced or transferred. This provides stronger assurance than synced passkeys, which can move between devices.</p><p>An attacker cannot call in, get a password reset, and access systems from an unmanaged device. The device need not be corporate-owned, but it must be registered and verified as part of the user's identity profile. Requiring this device-bound verification for any credential change immediately narrows the attack surface.</p><p><strong>3. Use bi-directional verification to keep both employees and help desks secure</strong>. Both parties need the ability to verify each other, depending on who initiates contact. When a user contacts the help desk, the agent should verify their identity before taking action.</p><p>Before resetting credentials or granting access, use callbacks to registered numbers or send verification codes to registered devices. This protects against attackers impersonating employees, as seen in the MGM and Harrods breaches. When the help desk reaches out to users, employees should have a way to verify the legitimacy of the contact before sharing any information.</p><p>This protects staff from scammers posing as IT support. Verification capability in both directions ensures neither help desk personnel nor employees become vulnerable entry points for attackers.</p><h2 id="tiered-response">Tiered response</h2><p>Apply these controls using tiered response protocols. Proceed with standard verification for low-risk requests (password hints, account status checks). For high-risk actions (credential resets, permission changes, device enrollments), require elevated verification.</p><p>For truly urgent situations, establish escalation paths that maintain security. A traveling executive who lost their <a href="https://www.techradar.com/news/best-business-smartphone">phone</a> should contact their direct manager for verification before support acts. An employee with a broken device should visit IT in person with identification.</p><p>These controls are most effective when they work together. <a href="https://www.techradar.com/best/best-identity-management-software">Identity</a> verification without device verification leaves gaps, while device verification without hardened identity operations can be circumvented. Both are undermined if help desk workflows bypass these controls in the name of convenience.</p><p>Technology only cannot solve a people problem, but it can make the right behaviors easier and the wrong behaviors harder. Help desks will always be targets because they control access.</p><p>The question is whether organizations will continue treating them as trusted channels immune to compromise, or recognize them as the critical security control points they have become.</p><p>Breaches will continue. Attackers will keep calling. But organizations that recognize help desks as the critical identity control points they are, and secure them accordingly, can finally close the door that's been left open for too long.</p><p><em></em><a href="https://www.techradar.com/news/best-endpoint-security-software"><em>We've featured the best endpoint protection software.</em></a></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Hackers are using TikTok videos offering 'free Spotify Premium' to spread malware and steal passwords ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/hackers-are-using-tiktok-videos-offering-free-spotify-premium-to-spread-malware-and-steal-passwords</link>
                                                                            <description>
                            <![CDATA[ Videos advertising free subscriptions are leading victims away to download and install malware via command-line tools. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">KyiMnDdJEodaXo9D6zhJN8</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/fg7bgy65pWhFo4Qzib58yX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 11 Jun 2026 16:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Craig Hale ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/GV8qRsHBkpSAQxiYKjTt6H.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/fg7bgy65pWhFo4Qzib58yX-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration]]></media:description>                                                            <media:text><![CDATA[Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration]]></media:text>
                                <media:title type="plain"><![CDATA[Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/fg7bgy65pWhFo4Qzib58yX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>TikTok and Instagram Reels now being used to target victims</strong></li><li><strong>"Free" Spotify, Microsoft, Adobe subscriptions targeting cash-strapped users</strong></li><li><strong>Social engineering is still the top vector, but basic account security measures do a lot of the heavy lifting</strong></li></ul><p>A new report from <a href="https://www.reversinglabs.com/blog/social-media-attacks-phishing" target="_blank">ReversingLabs</a> is warning doomscrollers of videos spreading across short-form platforms like TikTok and Instagram Reels infecting users with password-stealing malware.</p><p>The videos typically promise free access to subscriptions like Spotify Premium, Windows, Office and Adobe – an instant, telltale sign that things might not be as they seem.</p><p>Instead of receiving phishing emails, victims are instructed to open command-line tools like PowerShell, then paste and run the command shown in the video.</p><h2 id="watch-out-for-this-info-stealing-malware">Watch out for this info stealing malware</h2><p>When they run the command, it triggers a piece of malware to be downloaded and installed to a victim's computer. Vidar, the infostealer, targets usernames, passwords, cookies, session tokens, cryptocurrency wallet data, personal files and documents, and other sensitive information.</p><p>But more importantly, it marks a significant change – previously, email phishing campaigns have been extremely popular for gaining access to victims' credentials, with a simple click of a link leading to potential disaster. This newer method relies on victims physically inputting commands into a tool, which requires more patience.</p><p>Ultimately, the attack exploits current economic strains and the fact that consumers are looking out for cheap and free alternatives to popular subscriptions.</p><p>"This kind of social engineering is an easy way for threat actors to drive traffic off social media and onto an attacker-controlled malicious website," the researchers wrote.</p><p>Regardless, the overarching theme is that social engineering remains the clearest path for attackers to reach victims, and that's good news because there are many basic principles could-be victims can follow, like using multi-factor authentication to secure accounts.</p><p>Being wary of suspiciously cheap or free products/services and only downloading software from official vendors would also help in this instance.</p><figure class="van-image-figure pull-right inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:676px;"><p class="vanilla-image-block" style="padding-top:31.51%;"><img id="diM9tpwF2Lz85R8q85CT78" name="tr-g_news" alt="Google logo on a black background next to text reading 'Click to follow TechRadar'" src="https://cdn.mos.cms.futurecdn.net/diM9tpwF2Lz85R8q85CT78.jpg" mos="" align="right" fullscreen="" width="676" height="213" attribution="" endorsement="" class="pull-rightinline"></p></div></div></figure>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Fake X-VPN installers found to spread credential-stealing malware — here's how to stay safe ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/vpn/vpn-privacy-security/fake-x-vpn-installers-found-to-spread-credential-stealing-malware-heres-how-to-stay-safe</link>
                                                                            <description>
                            <![CDATA[ Researchers found a trojanized X-VPN installer used to deploy STX RAT malware. X-VPN itself was not breached, and only attacker-hosted downloads are affected. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">U7ZvbWfADGzg973ugNchhG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 10 Jun 2026 09:30:44 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[VPN Privacy &amp; Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[VPN]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                                                                <author><![CDATA[ monicajwrites@gmail.com (Monica J. White) ]]></author>                    <dc:creator><![CDATA[ Monica J. White ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/6AQ4y5nzk8kQ47Yp69GERj.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Monica is a journalist with over a decade of experience in covering technology.&lt;/p&gt;&lt;p&gt;She writes about the latest developments in computing, which means anything from computer chips made out of paper to cutting-edge desktop processors. Her coverage includes CPUs, GPUs, and everything else that goes into a PC or a laptop, but also peripherals.&lt;/p&gt;&lt;p&gt;GPUs are Monica’s main area of interest, and nothing thrills her quite like that time every couple of years when new graphics cards hit the market. She’s always keeping tabs on the latest from Nvidia, AMD, and Intel, including both the hardware and the software that powers our PCs.&lt;/p&gt;&lt;p&gt;As an avid gamer, her focus is always on the consumer and whether something works well and provides adequate value for the money. She believes that PC building can be intimidating, so her goal is to explain complex concepts in an approachable manner while still digging into the technical nitty-gritty we all love to learn more about.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Malware kan ställa till med oreda]]></media:description>                                                            <media:text><![CDATA[Android phone malware]]></media:text>
                                <media:title type="plain"><![CDATA[Android phone malware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Fake X-VPN installer found to deploy credential-stealing malware</strong></li><li><strong>X-VPN was not hacked; only those downloading the fake app were affected</strong></li><li><strong>First targeting crypto traders, criminals widened to privacy-minded users</strong></li></ul><p>A new report has uncovered an uncomfortable truth for anyone who downloads software from somewhere other than the official source: a trusted-looking app can be weaponized against you.</p><p>Threat researchers at <a href="https://www.cyderes.com/howler-cell/cpuid-hwmonitor-xvpn-dll-sideloading-stx-rat" target="_blank" rel="nofollow">Cyderes</a> have been tracking an active campaign that uses a fake X-VPN installer to deploy <a href="https://www.techradar.com/news/what-is-malware-and-how-dangerous-is-it">malware</a> known as the STX RAT, which steals credentials and hands attackers remote control of an infected machine.</p><p>Crucially, this is not a breach of <a href="https://www.techradar.com/reviews/x-vpn">X-VPN</a>, a provider that has just <a href="https://www.techradar.com/vpn/vpn-services/x-vpn-proves-its-privacy-credentials-with-new-independent-no-logs-audit">proved its privacy credentials</a> with an independent no-log audit. The company's official download channels were unaffected, and the only people at risk were those who installed a malicious copy from attacker-controlled sources. </p><p>This is a stark reminder that, even if you pick one of the <a href="https://www.techradar.com/vpn/best-vpn"><u>best VPN</u></a> services around, you still need to be careful with downloads. As <a href="https://www.techradar.com/vpn/vpn-privacy-security/google-issues-security-alert-your-vpn-app-could-be-spyware-in-disguise">Google warned</a> in its November 2025 fraud advisory, scammers are increasingly disguising malware as legitimate VPN apps to steal users' data.</p><h2 id="how-the-fake-x-vpn-attack-works">How the fake X-VPN attack works</h2><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:840px;"><p class="vanilla-image-block" style="padding-top:25.00%;"><img id="qNFfqSgU3XNq5a4do4hKra" name="X-VPN malware campaign" alt="Timeline of X-VPN malware campaign's evolution uncovered by Cyderes (June 2026)" src="https://cdn.mos.cms.futurecdn.net/qNFfqSgU3XNq5a4do4hKra.png" mos="" align="middle" fullscreen="" width="840" height="210" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: Cyderes)</span></figcaption></figure><p>As the <a href="https://www.cyderes.com/howler-cell/cpuid-hwmonitor-xvpn-dll-sideloading-stx-rat">Cyderes' findings</a> show, attackers took genuine X-VPN program files and slipped in one extra malicious file named CRYPTBASE.dll, a technique called DLL sideloading. </p><p>Because of a quirk in how Windows finds that file, the app appears to install normally while the hidden file injects the STX RAT malware straight into the computer's memory, leaving little trace for antivirus tools to catch.</p><p>Once active, STX RAT can harvest saved browser passwords and session tokens, collect system information, run commands remotely, and talk to its servers over ordinary encrypted web traffic, so it blends in. The fake VPN was one of 11 malicious packages tied to the operation, alongside trojanized installers for Binance, Bybit, MetaTrader 5, Exodus, and Steam.</p><p>The campaign began by targeting cryptocurrency traders, then pivoted to a trojanized X-VPN package to reach privacy-conscious users who often handle sensitive credentials. The same malware spread earlier through a brief compromise of the CPUID website, which Kaspersky linked to more than 150 victims across several countries and industries.</p><p>To its credit, X-VPN responded quickly, releasing Windows version 77.5.3 with hardened DLL loading controls. Users of the X-VPN app should update to that version or later.</p><h2 id="how-to-avoid-fake-vpn-apps">How to avoid fake VPN apps</h2><p>The good news is that the single most effective defense here is also the simplest and requires no technical skill. Most of these attacks fall apart the moment you refuse to download software from anywhere other than the official source.</p><p>Use the <strong>vendor's own website or an official app store</strong>, and avoid installers from third-party repositories or links sent to you. In this campaign, the files lived in an unknown Bitbucket repository.</p><p>There have been other cases of <a href="https://www.techradar.com/pro/criminals-are-using-a-dangerous-fake-free-vpn-to-spread-malware-via-github-heres-how-to-stay-safe">criminals using a fake free VPN to spread malware</a>, so <strong>treat suspiciously cheap apps as a red flag</strong>.</p><p><strong>Type the address yourself</strong> rather than clicking ads or search results, which avoids look-alike sites.</p><p><strong>Keep software updated</strong> and run reputable <strong>security software</strong> for an extra layer of protection. Because STX RAT runs in memory and tries to evade detection, a modern <a href="https://www.techradar.com/best/best-antivirus">antivirus</a> or endpoint tool gives you an extra layer of protection alongside good download habits.</p><p>If you think you installed a fake VPN, assume your passwords and sessions may be exposed. <strong>Change important passwords</strong> from a clean device, <strong>sign out everywhere</strong>, and <strong>turn on two-factor authentication</strong>. A VPN is a valuable privacy tool, but only when you install the genuine article from a source you can trust.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Someone is impersonating our business: 5 ways to fight digital squatting ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/someone-is-impersonating-our-business-5-ways-to-fight-digital-squatting</link>
                                                                            <description>
                            <![CDATA[ Digital squatting now moves money, steals login credentials, and pulls customers toward infrastructure tied to cybercrime. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">eVtcz5aho6LqQe99CwSdwf</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5rDPr5xYvLwnkP7ZvpR2w3-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 05 Jun 2026 06:54:32 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Vaidotas Juknys ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5rDPr5xYvLwnkP7ZvpR2w3-1280-80.jpg">
                                                            <media:credit><![CDATA[sarayut Thaneerat/ via Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website]]></media:description>                                                            <media:text><![CDATA[Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website]]></media:text>
                                <media:title type="plain"><![CDATA[Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5rDPr5xYvLwnkP7ZvpR2w3-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A couple of years ago, someone searching for our company found a website that looked like ours, used a version of our name, and sold proxies we had nothing to do with. </p><p>The impersonators were already operating before we rebranded from Smartproxy to <a href="https://www.techradar.com/reviews/smartproxy">Decodo</a> in April 2025. </p><p>They registered smartproxy.org and smartproxy.cn to catch the traffic searching for the original domain name, and the rebrand gave them an even larger pool of people who had not heard about the change.</p><p>In 2025, the World Intellectual Property Organization handled 6,282 domain name disputes, a record for the organization. Cybersquatting cases have risen 68% since 2020. </p><p>Digital squatting now moves money, steals login credentials, and pulls customers toward infrastructure tied to cybercrime. Here are five things we did, and five things any business can do, when someone copies your brand.</p><h2 id="what-digital-squatting-is-and-why-cases-keep-climbing">What digital squatting is, and why cases keep climbing</h2><p>Digital squatting means registering or using a domain name in bad faith to profit from someone else's trademark. A bad actor registers a domain close to an established brand, then uses it to intercept traffic, collect payments for services they never deliver, harvest login credentials, or push <a href="https://www.techradar.com/best/best-malware-removal">malware</a>. Most victims find out only after their money disappears. </p><p>Squatting comes in a few common forms:</p><p>1. Typosquatting registers misspellings of popular domains, such as gooogle.com instead of google.com;</p><p>2. Combosquatting adds a keyword to a real brand name, producing domains like brand-login.com or brand-deals.com; </p><p>3. TLD squatting takes the same brand name across .org, .net, .io, and .ai;</p><p>4. Homograph attacks swap in visually identical characters from other alphabets, like a Cyrillic "а" for a Latin "a".</p><h2 id="when-it-happened-to-us">When it happened to us</h2><p>We met digital squatting as the target, not the observer. We operated as Smartproxy for seven years, and over that time, the name picked up enough recognition for impersonators to want it. They registered .org and .cn, domains with no connection to our company, our infrastructure, or our team. The site copies a version of our former name and sells <a href="https://www.techradar.com/best/best-free-proxies">proxies</a> we have nothing to do with, catching traffic from people who searched for Smartproxy.</p><p>The squatting also shaped how we could operate in China. The obvious domains were already taken, so before the rebrand, we had to run our China presence under a separate name, smartdaili.cn. A customer in that market searching for the brand could land on an impostor site first. </p><p>The rebrand to Decodo did not end the problem. It added a fresh group of people who knew the old name and never heard about the change, which is exactly who the lookalike domains target. The harm reached real customers, and we saw it in their complaints to us. </p><p>Trustpilot reviews describe people who paid the lookalike sites, sent irreversible cryptocurrency payments, received poor support, and got low-quality service under a name they trusted.</p><h2 id="what-the-proxyway-research-found">What the Proxyway research found</h2><p>The case changed shape when researchers tested the impersonator's <a href="https://www.techradar.com/best/best-product-management-apps-of-year">product</a> directly. The independent researchers have purchased a standard weekly unlimited residential plan on smartproxy.org, the same product any retail buyer can get, and measured where its traffic actually exited. The method is one any paying customer could repeat, which is part of why the result carries weight. </p><p>Proxyway sent roughly 6.96 million HTTP requests through the plan across one week, with each request landing on an <a href="https://www.techradar.com/news/best-endpoint-security-software">endpoint</a> that logged the exit <a href="https://www.techradar.com/best/best-ip-address-tools">IP address</a>. After removing duplicates, the pool showed 2,023,029 unique IPs, of which 2,019,488 were IPv4, and 3,541 were IPv6. The success rate sat at 90.25%, in line with what the service advertised. </p><p>To find where those IPs came from, Proxyway compared the pool against a reference dataset of 16,192,293 verified IPIDEA exit nodes, observed over the 30 days ending January 29, 2026. Antoine Vastel, VP of Research at DataDome, built that dataset by routing traffic through IPIDEA endpoints himself and confirming each address as a working exit node, rather than relying on <a href="https://www.techradar.com/best/best-online-marketing-services">marketing</a> claims. IPIDEA is the residential proxy network that Google's Threat Intelligence Group disrupted back in January. </p><p>The comparison surfaced 773,087 IPs present in both pools. That figure equals 38.21% of the smartproxy.org pool and 4.77% of the IPIDEA dataset. The numbers sit in the table below:</p><div ><table><tbody><tr><td class="firstcol " ><p>Metric</p></td><td  ><p>Value</p></td><td  ></td></tr><tr><td class="firstcol " ><p>Smartproxy.org unique IPs (test pool)</p></td><td  ><p>2,023,029</p></td><td  ></td></tr><tr><td class="firstcol " ><p>IPIDEA dataset unique IPs (Vastel)</p></td><td  ><p>16,192,293</p></td><td  ></td></tr><tr><td class="firstcol " ><p>IPs present in both pools </p></td><td  ><p>773,087</p></td><td  ></td></tr><tr><td class="firstcol " ><p>Overlap as a share of smartproxy.org </p></td><td  ><p>38.21%</p></td><td  ></td></tr><tr><td class="firstcol " ><p>Overlap as a share of IPIDEA</p></td><td  ><p>4.77%</p></td><td  ></td></tr></tbody></table></div><h2 id="why-a-38-overlap-points-to-shared-sourcing">Why a 38% overlap points to shared sourcing</h2><p>Residential pools rotate, so some overlap between any two services is normal. IPinfo estimates monthly IPv4 retention in residential pools at around 40%, meaning roughly four in ten addresses visible this month remain next month, while the rest cycle out. Two pools drawing from genuinely separate apps, SDKs, and device populations should not share anything close to 38% of their IPs across a few-week window. </p><p>The IPv4 address space spans more than 4 billion addresses, so an overlap at this scale would be a statistical anomaly if the sources were independent. The pool sizes point the same way. The smartproxy.org pool of about 2 million IPs is roughly an eighth of the 16.2 million IPIDEA dataset, the proportion you would expect when one provider draws from part of a larger upstream pool. Shared sourcing explains the data cleanly.</p><h2 id="5-things-you-can-do-to-combat-digital-squatting">5 things you can do to combat digital squatting</h2><p>Each step below works on its own. Together, they cover monitoring, prevention, legal action, search, and customer communication.</p><h2 id="1-monitor-for-lookalike-domains-before-they-reach-your-customers">1. Monitor for lookalike domains before they reach your customers</h2><p>Catching a fake domain after a customer reports it means the damage has already happened. Monitoring closes that gap. </p><p>Set up these alerts:</p><p>i) Domain registration alerts for your brand name across common TLDs and misspellings;</p><p>ii) Brand-mention monitoring across search results and social platforms;</p><p>iii) Certificate transparency logs, which flag new SSL certificates issued for domains containing your brand name.</p><p>We learned the full extent of our case through third-party research and customer complaints, later than we wanted. Monitoring would have surfaced the registrations sooner. A weekly check across the main extensions and the three or four most likely misspellings of your name catches most attempts while they’re still new.</p><h2 id="2-register-your-own-domain-variations-first">2. Register your own domain variations first</h2><p>A squatter can’t register a domain you own. Defensive registration removes the easiest targets before anyone reaches for them. </p><p>Claim the obvious variations:</p><p>i) Major TLDs such as .org, .net, .io, and .ai</p><p>ii) Common misspellings of your brand name country-code domains for markets you operate in, such as .co.uk, .de, and .cn.</p><p>Turn on registrar lock, use a reputable <a href="https://www.techradar.com/news/best-domain-registrars">domain registrar</a>, and keep your registration details current. We hit this wall directly when the obvious domains in China were already taken. Claim your namespace early, because the cost of registering domains is far lower than reclaiming them later.</p><h2 id="3-use-your-legal-routes-and-know-their-limits">3. Use your legal routes, and know their limits</h2><p>Trademark law gives you specific tools against squatters. The tools work, though they move slowly, so start them early. The following is general information, not legal advice. </p><p>Your main options:</p><p>i) Register your trademark, which is the foundation for every other action;</p><p>ii) Send a cease-and-desist letter to the registrant</p><p>iii) Report abuse directly to the registrar hosting the domain.</p><h2 id="4-own-your-brand-in-search-results">4. Own your brand in search results</h2><p>When someone searches your brand, the page they click decides whether they reach you or a copy. Ranking above the impersonator removes most of their traffic. </p><p>Make the real you easy to find:</p><p>i) Publish content that states your official domains in plain language;</p><p>ii) Keep rebranding and company information current across your site and profiles;</p><p>iii) Use structured data and verified <a href="https://www.techradar.com/best/best-social-media-management-tools">social media</a> profiles so search engines confirm your identity.</p><p>We published direct, on-record clarifications so anyone searching the old brand finds the truth quickly. We say it plainly: we operate at decodo.com globally and decodo.cn in China. Everything else using the old name isn’t us</p><h2 id="5-tell-your-customers-and-keep-telling-them">5. Tell your customers, and keep telling them</h2><p>Customers can’t avoid a fake site that they don’t know exists. Telling them turns your audience into a filter against the impersonator. </p><p>Reach them through every channel you have:</p><p>i) Email warnings to your existing customer list;</p><p>ii) A banner or notice on your website;</p><p>iii) A help-center article that customers find when they search for the problem;</p><p>iv) Posts on the social accounts your customers already follow.</p><h2 id="treat-impersonation-as-a-security-problem">Treat impersonation as a security problem</h2><p>Brand impersonation now sits next to the infrastructure-trust problem the IPIDEA takedown exposed. A fake domain can route customers into compromised device pools, which makes this a question for security and legal teams, not just marketing. Give it a cross-functional owner who watches domains, files complaints, and updates customers on a schedule. </p><p>Google's action against IPIDEA reduced the available device pool for proxy operators by millions and, in Google's words, may carry downstream impact across affiliated resellers. Squatting that depends on that kind of infrastructure carries the same exposure. Demand transparency from any provider you buy from, and apply the same standard to your own supply chain.</p><p><em></em><a href="https://www.techradar.com/best/proxy"><em>We feature the best proxy sites</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Huge hacking campaign uses spoofed Ghidra, dnSpy, and SpiderFoot security tools to harvest ad revenue and serve malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/huge-hacking-campaign-uses-spoofed-ghidra-dnspy-and-spiderfoot-security-tools-to-harvest-ad-revenue-and-serve-malware</link>
                                                                            <description>
                            <![CDATA[ More than 100 spoofed websites were redirecting users and offering infostealers. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">FYtUVENFQzU7XjYwsv6cVH</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 04 Jun 2026 09:53:09 +0000</pubDate>                                                                                                                                <updated>Thu, 04 Jun 2026 09:53:13 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg">
                                                            <media:credit><![CDATA[Thapana Onphalai via Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:description>                                                            <media:text><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:text>
                                <media:title type="plain"><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Over 100 spoofed sites mimic trusted security tools</strong></li><li><strong>Campaign serves SessionGate, RemusStealer, AnimateClipper</strong></li><li><strong>Primary goal appears to be traffic monetization</strong></li></ul><p>A large-scale malicious campaign was recently uncovered, spoofing reputable open-source security tools to harvest ad revenue and serve malware to developers and security researchers.</p><p>Security outfit <a href="https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/" target="_blank" rel="nofollow">Check Point Research (CPR)</a> recently published an in-depth report, detailing the campaign. Apparently, threat actors created more than 100 websites spoofing tools such as Ghidra, dnSpy, and SpiderFoot. Visitors were routed through a Traffic Distribution System (TDS) and served multiple malware variants, including SessionGate, RemusStealer, and AnimateClipper.</p><p>“What makes this campaign especially notable is the choice of brands: a high-risk subset of sites impersonates trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts,” the report reads.</p><h2 id="traffic-acquisition-and-monetization">Traffic acquisition and monetization</h2><p>CPR describes SessionGate as a new multi-stage loader that makes it very difficult to obtain the final payload. RemusStealer is a newly emerged infostealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipper capable of hijacking transactions across more than 20 blockchains. </p><p>Despite these websites serving multiple malware, CPR does not believe it to be the main goal. Instead, it believes the campaign’s primary objective is traffic acquisition and monetization.</p><p>“However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> distributors,” CPR stressed. “The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.”</p><p>While CPR did not say how many people were affected by this attack, it does stress that the campaign is rather large-scale. It involves more than 100 websites, as well as more than 5,000 total submissions to VirusTotal. </p><p>To defend against this campaign, and others like it, users are advised not to blindly trust search engine results, and to be careful when clicking on links, even when they’re at the very top of Google and other reputable engines. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Weedhack malware campaign infects 116,000 mod-hungry Minecraft players systems through SEO poisoning and YouTube ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/weedhack-malware-campaign-infects-116-000-mod-hungry-minecraft-players-systems-through-seo-poisoning-and-youtube</link>
                                                                            <description>
                            <![CDATA[ Fake mods and clients are being advertised on YouTube and used to deploy backdoors and infostealers. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">YxPih94PQbFopWzBjYyoUN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/kdhVdv6powtuEo3tfg5QPE-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 03 Jun 2026 14:25:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/kdhVdv6powtuEo3tfg5QPE-1280-80.jpg">
                                                            <media:credit><![CDATA[Mojang]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cobblemon mod]]></media:description>                                                            <media:text><![CDATA[Cobblemon mod]]></media:text>
                                <media:title type="plain"><![CDATA[Cobblemon mod]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/kdhVdv6powtuEo3tfg5QPE-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Weedhack spreads via poisoned Minecraft mods on YouTube</strong></li><li><strong>Malware disables defenses and enables remote access</strong></li><li><strong>Offered as MaaS with free and paid tiers</strong></li></ul><p>Cybercriminals are using YouTube to disseminate malware that targets Minecraft users and takes full control over their <a href="https://www.techradar.com/news/best-endpoint-security-software" target="_blank">computers</a>.</p><p>In January this year, security researchers McAfee Labs spotted a new malicious campaign dubbed Weedhack. In the campaign, the malicious actors created countless YouTube channels and standalone websites, through which they promoted links to Minecraft clients and mods. </p><p>With the help of Weedhack (apparently an enterprise-grade dashboard that also allows crooks to inject the malware into legitimate Minecraft mods), they created poisoned mods and clients which delivered a .JAR file called DonutDupe.jar.</p><h2 id="industry-support">Industry support</h2><p>This is a Java ARchive package format used in the Java ecosystem to bundle multiple files into a single archive. This file starts a chain reaction that results in Windows Defender being disabled, system information collected, and two additional payloads dropped, which establish persistence and enable remote access.</p><p>McAfee said the campaign accumulated a total of 116,464 hits, averaging approximately 2000 to 3,000 hits per day. Most of them are located in the US, with other notable mentions including Germany, India, the UK, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain. </p><p>McAfee describes Weedhack as a ‘Minecraft-focused Malware-as-a-service’ (MaaS). The custom payloads target versions 1.21.0 to 1.21.11 of the game, while the dashboard allows malicious actors to view stolen credentials and exfiltrated system information in a centralized manner. The MaaS is apparently being offered in Telegram channels in two tiers - free and paid, and while the free version comes with plenty of features (screenshot grabber, file exfiltrator), the paid one ($4.99 a month) offers webcam access, keylogging, and reverse shell execution. </p><p>“One of the key features that makes Weedhack unique is that it is hosted on the clear net and provides access to sophisticated <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> for free," McAfee’s researchers explained. "This difference in cost and ease of access with detailed tutorials on how to use the malware significantly reduces the barrier to entry for prospective customers. Furthermore, its ability to steal Minecraft accounts attracts a younger audience. Both of these factors complement each other and make the campaign much more lethal."</p><p><em>Via </em><a href="https://thehackernews.com/2026/06/weedhack-attacks-minecraft-users.html" target="_blank" rel="nofollow"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Steam Community Profiles abused as C2 network in new WordPress malware infection campaign ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/steam-community-profiles-abused-as-c2-network-in-new-wordpress-malware-infection-campaign</link>
                                                                            <description>
                            <![CDATA[ A new cheeky malware campaign abuses the comment section as a roadsign to malware ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">EyczYyhYsLAgPaDCuuw3Fm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bx8fPhUoHLYdN39sZtNWZk-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 03 Jun 2026 12:18:13 +0000</pubDate>                                                                                                                                <updated>Wed, 03 Jun 2026 12:18:18 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bx8fPhUoHLYdN39sZtNWZk-1280-80.jpg">
                                                            <media:credit><![CDATA[Valve]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Logo of Steam with game covers in the background]]></media:description>                                                            <media:text><![CDATA[Logo of Steam with game covers in the background]]></media:text>
                                <media:title type="plain"><![CDATA[Logo of Steam with game covers in the background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bx8fPhUoHLYdN39sZtNWZk-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Malware hides payload in Steam Community comments</strong></li><li><strong>WordPress sites used to host backdoors</strong></li><li><strong>Nearly 2,000 sites compromised since July</strong></li></ul><p>Security researchers from GoDaddy found a cheeky new malware campaign that used comments made by Steam Community accounts as command-and-control (C2) infrastructure.</p><p>Here is how the attack plays out: The attackers would first find vulnerable <a href="https://www.techradar.com/best/wordpress-website-builder" target="_blank">WordPress websites,</a> or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the sample was found in a theme’s ‘functions.php’ file. This malware contains both a JavaScript injection component, and a server-side backdoor. </p><p>Then, whenever a visitor loads the infected website, the malware contacts one of several Steam Community profiles and downloads the contents of profile comments. On surface level, these comments look harmless (albeit incoherent), but they also contain invisible Unicode characters which carry the actual payload. </p><h2 id="industry-support-2">Industry support</h2><p>“This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy said.</p><p>The malware then extracts the characters, converts them into binary data, and reconstructs the original bytes. The researchers found that this recovered data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file spoofing a legitimate library. </p><p>The malware then uses WordPress to load the attacker-controlled JavaScript on every frontend page, which the visitors’ browsers then download and run, infecting themselves in the process.</p><p>In the campaign, there are two sets of targets - vulnerable WordPress websites, and their visitors. Since uncovering the campaign in July last year, GoDaddy said it found almost 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors.</p><p>If you run a WordPress website, GoDaddy recommends to check for references to Steam Community URLs, external JavaScript injections, as well as outbound connections from WordPress to Steam. </p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/" target="_blank" rel="nofollow"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ OpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokens ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/openai-codex-tool-with-over-29-000-downloads-linked-to-malicious-npm-supply-chain-attack-stealing-authentication-tokens</link>
                                                                            <description>
                            <![CDATA[ A tool started benign and turned sour after a little while, stealing tokens and granting persistent access. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vXcVe5fpJG9SzT2iRuMqu6</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/t3peL5Rd9E7bXzyHuQqJ5K-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 01 Jun 2026 19:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/t3peL5Rd9E7bXzyHuQqJ5K-1280-80.jpg">
                                                            <media:credit><![CDATA[OpenAI]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Codex remote control in ChatGPT]]></media:description>                                                            <media:text><![CDATA[Codex remote control in ChatGPT]]></media:text>
                                <media:title type="plain"><![CDATA[Codex remote control in ChatGPT]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/t3peL5Rd9E7bXzyHuQqJ5K-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Researchers uncovered a malicious npm package posing as a Codex UI tool</strong></li><li><strong>Attackers exfiltrated Codex authentication tokens, including non‑expiring refresh tokens</strong></li><li><strong>Aikido Security also found two Android apps targeting Codex users</strong></li></ul><p>A newly discovered supply-chain attack on npm is targeting software developers using OpenAI Codex.</p><p>Codex is OpenAI’s <a href="https://www.techradar.com/best/best-ai-tools" target="_blank">coding assistant</a> and software engineering agent that can write and review code, fix bugs, run tests, and help developers build software with nothing but plain language input.</p><p>Recently it was discovered that a tool published on both GitHub and npm was actually malicious. It is called “codexui-android”, and it is described as a remote web user interface for the Codex platform. It attracted more than 29,000 weekly downloads, so it was rather popular. One of the reasons for its popularity is because it worked as advertised and appeared legitimate. The code published on GitHub remained “clean” the whole time, meaning the public source code didn’t show any malicious behavior.</p><h2 id="breaking-bad">Breaking bad</h2><p>However, approximately a month into its existence, the tool received an update on npm which added information-stealing code. It primarily hunted for OpenAI login credentials.</p><p>When a developer runs the tool, it looks for their Codex authentication tokens and exfiltrates them to an attacker-controlled server. One of the tokens (the refresh token) can potentially allow an attacker to continue accessing the victim’s OpenAI account for an extended period of time without needing the password. </p><p>The implications are rather dangerous, explained Aikido Security researcher Charlie Eriksen, who found and disclosed the attack. Besides the obvious - accessing the victim’s Codex sessions - the attacker can use the tokens to spend the victim’s API credits, to view projects or code they’re working on through Codex, and even impersonate the victim when interacting with OpenAI services. </p><p>"The refresh_token doesn't expire," Eriksen said. "An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface -- it's persistent, silent access to whatever that account can do."</p><p>Aikido also said it saw two Android apps, both published by the same account, who were also targeting Codex users. One is called OpenClaw Codex Claude AI Agent, running the npm package within its PRoot sandbox and sending all Codex credentials to the same, attacker-controlled server. This one had more than 50,000 downloads. The other one is called Codex and counts more than 10,000 downloads.</p><p><em>Via </em><a href="https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html" target="_blank" rel="nofollow"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The biggest cyber threats businesses face in 2026 ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/the-biggest-cyber-threats-businesses-face-in-2026</link>
                                                                            <description>
                            <![CDATA[ AI-driven cyber threats are evolving fast – here's what businesses need to watch in 2026. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qHqyo7BpsQZiuawCcHDLqm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/mdjvPqJZZunuCQDrfEuBFM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 01 Jun 2026 10:57:16 +0000</pubDate>                                                                                                                                <updated>Mon, 01 Jun 2026 10:57:29 +0000</updated>
                                                                                                                                            <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Phil Lees ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/mdjvPqJZZunuCQDrfEuBFM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A hooded figure in front of a laptop. Digital symbols obscure his face and appear to be pouring out of his head]]></media:description>                                                            <media:text><![CDATA[A hooded figure in front of a laptop. Digital symbols obscure his face and appear to be pouring out of his head]]></media:text>
                                <media:title type="plain"><![CDATA[A hooded figure in front of a laptop. Digital symbols obscure his face and appear to be pouring out of his head]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/mdjvPqJZZunuCQDrfEuBFM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>As industries become more digitalized, cybercrime is evolving just as fast. In 2026, <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cyber security</a> threats are no longer opportunistic; they’re intelligent, automated and highly targeted. No organisation is too small to be ignored by cybercriminals.  </p><p>This is borne out in the UK Government’s Cyber Security Breaches Survey 2025, which suggests that 43% of businesses and 30% of charities reported a cyber breach or attack during the previous 12 months. That’s an astonishing 612,000 UK businesses and 61,000 charities affected. </p><p>Despite these statistics, there are ways organizations can minimize breach risk, from identifying key cyber threats to understanding how businesses can stay safe and prepare for what’s next.  </p><h2 id="the-10-most-common-cyber-threats">The 10 Most Common Cyber Threats</h2><p>Let’s start with my list of the 10 most common cyber threats businesses need to prepare for. </p><h2 id="1-ai-powered-phishing-attacks">1. AI-powered phishing attacks  </h2><p>Among those that suffered a breach or cyberattack in the past 12 months, phishing remains the most common and disruptive threat – and this tactic has changed dramatically over the years. </p><p>It’s no longer obvious or poorly written; today, it’s powered by <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> and we’re seeing attackers convincingly mimic internal communication accurately.  </p><p>As a result, people are far more likely to click on malicious links, share credentials or approve fraudulent payments. In many cases, you don’t realize you’ve been compromised until it’s too late. </p><h2 id="2-ransomware-as-a-service-raas">2. Ransomware-as-a-Service (RaaS)</h2><p>With Ransomware-as-a-Service, we’re seeing criminal groups selling ready-made tools that allow even less experienced attackers to launch serious attacks. This “plug-and-play” model has dramatically increased attack volumes. </p><p>Once inside a system, <a href="https://www.techradar.com/best/best-ransomware-protection">ransomware</a> encrypts critical files and attackers demand payment, usually in cryptocurrency, while some also threaten to leak stolen data to increase pressure.  </p><h2 id="3-supply-chain-attacks">3. Supply chain attacks </h2><p>Instead of attacking businesses directly, cybercriminals are now targeting third-party suppliers to gain access to multiple organizations at once. </p><p>This exploits trust – and strong internal <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> often isn’t matched across the supply chain. One compromised vendor can trigger a domino effect across hundreds of businesses.  </p><h2 id="4-deepfake-fraud-and-impersonation">4. Deepfake fraud and impersonation  </h2><p>Deepfakes have quickly moved from novelty to a serious threat. I’m seeing attackers use AI-generated audio and <a href="https://www.techradar.com/best/best-video-editing-software">video</a> to convincingly impersonate executives, managers and clients. </p><p>This is dangerous in finance or procurement, where fraudsters can push employees to transfer funds, approve invoices, or share sensitive data – all while posing as trusted leaders. </p><h2 id="5-credential-stuffing-and-password-attacks">5. Credential stuffing and password attacks </h2><p>Despite growing awareness, weak and reused passwords are still one of the biggest vulnerabilities. Credential stuffing attacks use stolen login details from previous breaches and automatically test them across multiple platforms. </p><p>Because people often reuse passwords, attackers can gain access with very little effort. Once inside, they can escalate access, move through systems and quietly extract sensitive data. </p><h2 id="6-cloud-misconfigurations">6. Cloud misconfigurations </h2><p>Configuration errors remain a major risk. Something as simple as an exposed storage bucket or incorrect access setting can leave sensitive data publicly accessible. </p><p>Unlike traditional breaches, these incidents often don’t involve any hacking as the data is simply left unprotected. As <a href="https://www.techradar.com/best/best-cloud-storage">cloud storage</a> environments become more complex, maintaining strong configuration hygiene is now a critical security priority. </p><h2 id="7-iot-and-connected-device-vulnerabilities">7. IoT and connected device vulnerabilities </h2><p>As the Internet of Things (IoT) expands, the attack surface grows significantly. From smart cameras and sensors to industrial machinery, many connected devices still come with limited built-in security. </p><p>Attackers can exploit these devices to access wider corporate networks. Because they’re often overlooked in traditional cyber security strategies, they represent a quiet but fast-growing risk. </p><h2 id="8-insider-threats">8. Insider threats </h2><p>Insider threats are among the hardest risks to manage. People with legitimate access can intentionally steal or leak data, but more often it’s simple human error – like sending information to the wrong person or falling for phishing attacks. </p><p>With remote and hybrid working now the norm, controlling and monitoring access has become even more complex. </p><h2 id="9-business-email-compromise-bec">9. Business email compromise (BEC) </h2><p>Business email compromise is one of the most financially damaging forms of global cybercrime. Attackers infiltrate or spoof email accounts to trick employees into transferring funds or sharing sensitive data. </p><p>These attacks are highly targeted, often based on detailed research. Because they rely on social engineering rather than <a href="https://www.techradar.com/best/best-malware-removal">malware</a>, they can easily bypass traditional security controls.  </p><h2 id="10-zero-day-exploits">10. Zero-day exploits </h2><p>We often highlight zero-day vulnerabilities as being especially dangerous. These are flaws unknown to software vendors and therefore unpatched when attackers exploit them. </p><p>Because there’s no immediate fix available, businesses often only realize they’ve been hit after a breach has already happened. And as software ecosystems grow more complex, we’re expecting the risk of undiscovered vulnerabilities to keep increasing. </p><h2 id="how-businesses-can-stay-protected">How businesses can stay protected-</h2><p>While cyber threats are evolving rapidly, businesses are not powerless. Strong cyber security comes down to layers of defense, constant awareness and continuous improvement. </p><p>Start with multi-factor authentication across all systems, and keep software updated and properly patched because many attacks exploit vulnerabilities that already have fixes.  </p><p>Invest in employee training too, as human error is still a major weak point and staff need to recognize phishing and suspicious behavior. </p><p>Adopt a zero-trust approach, where no user or device is automatically trusted. Combine that with real-time monitoring, AI analytics and regular security testing to find weaknesses before attackers do.  </p><p>Finally, ensure robust backups and recovery plans are in place, because when something goes wrong, speed matters. Cyber security isn’t a one-off project; it’s an ongoing business priority. </p><h2 id="the-future-of-cyber-threats">The future of cyber threats</h2><p>Looking ahead, we expect cyber threats to grow in volume and become even more sophisticated. Artificial intelligence doesn’t sleep and it will play both sides, helping us defend systems while also powering more advanced attacks. </p><p>Breakthroughs like quantum computing could also challenge the <a href="https://www.techradar.com/best/best-encryption-software">encryption</a> standards we rely on today, while the growing complexity of cloud, IoT, and global supply chains will only expand the attack surface. </p><p>The future of cybersecurity will come down to speed, intelligence and adaptability. Organizations that invest in proactive defense, continuous monitoring, and true cyber resilience will be best prepared for what’s next. Cyber threats aren’t just a technical issue; they’re a critical business risk.</p><p><em></em><a href="https://www.techradar.com/best/best-antivirus"><em>We feature the best Antivirus Software: reviewed, tested, and ranked</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Closing the security blind spots that are a prime entry point for attacks ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/closing-the-security-blind-spots-that-are-a-prime-entry-point-for-attacks</link>
                                                                            <description>
                            <![CDATA[ What if the biggest cyber risk isn’t the feared attack, but a hidden, unknown vulnerability? ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">btroBvfzj4zBkHvdPsvj3c</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 29 May 2026 08:10:09 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Yaz Bekkar ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:description>                                                            <media:text><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:text>
                                <media:title type="plain"><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>What if the biggest <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> risk is not the attack you fear most, but the weakness you forgot or never knew was there? </p><p>Many organizations worry that the next breach will come from a highly sophisticated attack so advanced that nothing could have stopped it. That fear is understandable, but the truth is often more uncomfortable. </p><p>In many cases, breaches do not begin with an unstoppable threat. They begin with a blind spot such as a missed patch, a dormant account, a device outside corporate security control or a <a href="https://www.techradar.com/best/firewall">firewall</a> left exposed. These small gaps that are easy to overlook are exactly the kind of gaps attackers know how to find.  </p><p>This is the reality, and one of the key findings from our recent report, which found that, in most cases, it is preventable security issues that open the door. Unpatched firewalls, rogue endpoints, dormant identities and misconfigurations continue to give threat actors the opportunity they need. </p><h2 id="why-are-attackers-focusing-more-on-identity-than-infrastructure">Why are attackers focusing more on identity than infrastructure? </h2><p>Because compromising an identity is often easier and quieter than attacking a system head-on.  </p><p>Once attackers compromise an identity, they are no longer forcing their way in. They are walking in through a trusted door and this is an important shift that we’re now seeing.  </p><p>Stolen usernames and passwords can provide access to cloud services, email and remote access tools, and valid credentials let attackers easily blend in with normal user activity. </p><p>From there, they can escalate privileges, move laterally and turn limited access into broader control over the environment.  </p><p>Sometimes, the speed with which this happens is startling. In one case, we have detected that the time between the initial breach and the execution of a full <a href="https://www.techradar.com/best/best-ransomware-protection">ransomware</a> attack was just three hours.  </p><p>In another real-world incident, attackers gained access through a dormant account that had originally been created for a third-party vendor and was never deactivated after the contract ended. One forgotten account eventually became the route to ransomware. </p><h2 id="are-organizations-still-being-exposed-by-endpoint-and-firewall-gaps">Are organizations still being exposed by endpoint and firewall gaps? </h2><p>Yes, and at scale. Attackers actively look for unprotected <a href="https://www.techradar.com/news/best-business-laptops">business laptops</a>, tablets or servers that fall outside normal security controls, because these devices can provide a path around corporate defenses. </p><p>The issue is not always a lack of security tools. In our experience, from monitoring thousands of different environments, the issue often comes down to a  lack of consistent configuration. Security tools that have either been accidentally or intentionally disabled present a major security risk. The danger can be heightened as teams may have a false sense of security that comes  from having the tool installed in the first place.  </p><p>We also know that many organizations are trying to manage too many <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> tools with limited resources. And when teams are overstretched, configuration errors become more likely. That is often where attackers gain their advantage. </p><p>It also helps explain why relatively simple attack techniques remain so effective.  </p><p>Threat actors continue to exploit known vulnerabilities, including some that have been around for years which can be found in legacy systems such as old <a href="https://www.techradar.com/best/best-linux-server-distro">servers</a> or applications.</p><p>More striking still, from our analysis of data last year , we found that the vast majority of ransomware incidents exploited firewalls through either a CVE or a vulnerable account.  </p><h2 id="why-are-modern-attacks-becoming-harder-to-spot">Why are modern attacks becoming harder to spot? </h2><p>Some of the most malicious behavior can look annoyingly legitimate.  </p><p>Threat actors are increasingly relying on living-off-the-land (LOTL) techniques, using legitimate tools already present in the environment to carry out malicious actions.  </p><p>One of the clearest examples is fileless <a href="https://www.techradar.com/best/best-malware-removal">malware</a> attacks which use PowerShell as the primary execution method.  </p><p>That creates a serious challenge for defenders. PowerShell is widely used for legitimate IT administration and maintenance. When malicious activity mimics normal operations, it becomes much harder to distinguish threat behavior from business-as-usual. </p><p>This is one of the most difficult blind spots organizations face today: not the threat you can clearly see, but the one that resembles something familiar. </p><h2 id="how-could-agentic-ai-make-this-worse">How could agentic AI make this worse? </h2><p>AI is helping threat actors move faster, adapt quicker and scale their efforts far more efficiently. </p><p>As threat actors adopt agentic AI, the exploitation of common weaknesses is likely to accelerate. These technologies can help cybercriminals scan environments continuously, identify weak configurations in minutes and rewrite malicious code on the fly to avoid detection. </p><p>In other words, the same overlooked issues that are already dangerous today could become even more exposed tomorrow. </p><p>That is why basic security weaknesses can no longer be treated as minor issues. In an environment where attacks can be launched and adapted far more quickly, weak <a href="https://www.techradar.com/best/best-identity-management-software">identity management</a> controls, unpatched systems and unmanaged devices become far more costly. </p><h2 id="so-what-should-organizations-do-now">So what should organizations do now? </h2><p>Start with the basics and treat them as strategically important, not operational housekeeping. </p><p>Some of the fastest and most effective improvements include: consistent multi-factor authentication and stronger access controls; a disciplined approach to <a href="https://www.techradar.com/best/best-patch-management-tools">patch management</a> and data protection and regular cybersecurity awareness training for employees </p><p>But closing blind spots fully requires more than isolated fixes because resilience depends on visibility. The more fragmented security becomes, the easier it is for critical signals to be missed. But when organizations have end-to-end visibility and coordinated management across their environment, they are far better placed to detect both the obvious weaknesses and the hidden ones. </p><p>A unified security strategy is one that combines advanced, AI-powered detection technologies with a fully automated SOC. Working with a provider who can deliver that protection 24/7 through a comprehensive managed security platform reduces the burden on internal teams.   </p><p>And that is what long-term cyber resilience is really built on: not just defending against the spectacular attack, but closing the everyday gaps that attackers are counting on.  </p><p>As I always say; the breach that changes everything often begins with something that seemed too small to matter.</p><p><em></em><a href="https://www.techradar.com/best/best-small-and-medium-business-firewall-software"><em>We feature the best small and medium business (SMB) firewall software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Cybercriminals are using GTA 6 hype to spread malware ahead of launch, NordVPN warns ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/vpn/vpn-privacy-security/cybercriminals-are-using-gta-6-hype-to-spread-malware-ahead-of-launch-nordvpn-warns</link>
                                                                            <description>
                            <![CDATA[ NordVPN warns GTA 6 fans about fake beta keys, phishing pages, Android adware, and malware disguised as early access downloads. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">RMEVWPFdEVgf6tcANGX3M7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/YfGyyxGmm5hNmhvqh3uodM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 May 2026 08:43:26 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[VPN Privacy &amp; Security]]></category>
                                                    <category><![CDATA[Cyber Security]]></category>
                                                    <category><![CDATA[VPN]]></category>
                                                    <category><![CDATA[Computing]]></category>
                                                    <category><![CDATA[Computing Security]]></category>
                                                                                                <author><![CDATA[ monicajwrites@gmail.com (Monica J. White) ]]></author>                    <dc:creator><![CDATA[ Monica J. White ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/6AQ4y5nzk8kQ47Yp69GERj.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Monica is a journalist with over a decade of experience in covering technology.&lt;/p&gt;&lt;p&gt;She writes about the latest developments in computing, which means anything from computer chips made out of paper to cutting-edge desktop processors. Her coverage includes CPUs, GPUs, and everything else that goes into a PC or a laptop, but also peripherals.&lt;/p&gt;&lt;p&gt;GPUs are Monica’s main area of interest, and nothing thrills her quite like that time every couple of years when new graphics cards hit the market. She’s always keeping tabs on the latest from Nvidia, AMD, and Intel, including both the hardware and the software that powers our PCs.&lt;/p&gt;&lt;p&gt;As an avid gamer, her focus is always on the consumer and whether something works well and provides adequate value for the money. She believes that PC building can be intimidating, so her goal is to explain complex concepts in an approachable manner while still digging into the technical nitty-gritty we all love to learn more about.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/YfGyyxGmm5hNmhvqh3uodM-1280-80.jpg">
                                                            <media:credit><![CDATA[Photo Illustration by Thomas Fuller/SOPA Images/LightRocket via Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Grand Theft Auto VI (GTA 6) logo is seen displayed on a smartphone screen]]></media:description>                                                            <media:text><![CDATA[The Grand Theft Auto VI (GTA 6) logo is seen displayed on a smartphone screen]]></media:text>
                                <media:title type="plain"><![CDATA[The Grand Theft Auto VI (GTA 6) logo is seen displayed on a smartphone screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/YfGyyxGmm5hNmhvqh3uodM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>NordVPN identified malware and scam campaigns</strong> <strong>targeting GTA 6's fans</strong></li><li><strong>The web is flooded with fake beta keys, trojanized repacks, phishing sites</strong></li><li><strong>PC and Android users are the main targets</strong></li></ul><p>The hype around the release of GTA 6 is real, and threat actors are quick to make the most of it by targeting gamers who are <a href="https://www.techradar.com/gaming/fans-mourn-what-would-have-been-gta-6s-launch-today-my-girl-surprised-me-with-usd100-today-and-thought-gta-6-was-coming-out-tomorrow">disappointed by the game's delayed release</a>. The lead-up to the release of Rockstar Games' most anticipated title makes fans vulnerable to a large number of scams, NordVPN warns.</p><p><a href="https://www.techradar.com/reviews/nordvpn">NordVPN</a>, which consistently ranks at the top of our list of the <a href="https://www.techradar.com/vpn/best-vpn">best VPNs</a>, shared the findings of its Threat Intelligence team. The team discovered a wave of GTA 6-themed scams targeting eager fans with fake installers, non-existent beta keys, phishing pages, and even Android adware pretending to be a "GTA 6 beta" app. </p><p>Attackers are banking on victims clicking first and then thinking later, instilling a sense of urgency through every scam attempt.</p><h2 id="nordvpn-reveals-the-staggering-extent-of-gta-6-scams">NordVPN reveals the staggering extent of GTA 6 scams</h2><p>NordVPN has revealed that PC and Android users are the primary targets of GTA 6 scams, but the threat actors may still promise access to the game on other platforms.</p><p>The game has been confirmed to launch on the PlayStation 5 and the Xbox Series X/S to start with, which threat actors are willingly abusing by promising exclusive beta keys for those consoles. Users first fill out a short form, go through a quick verification process, and then are told to either subscribe or download potentially unwanted applications (PUAs). </p><p>Windows users are also targeted by clones of well-known piracy sites. These clones distribute <a href="https://www.techradar.com/news/what-is-malware-and-how-dangerous-is-it">malware</a>, cleverly disguised as the actual game. NordVPN downloaded one of these scam files and found it to look surprisingly legitimate, with a proper game installer that quietly launches a trojan in the background. The malware can modify your PC's RAM, connect to external servers, and download even more malware.</p><blockquote class="reddit-card"  ><a href="https://www.reddit.com/r/GTA/comments/1t5m6cr/gta6_is_already_on_android/comments/1t5m6cr/gta6_is_already_on_android">gta</a> from <a href="https://www.reddit.com/r/GTA/comments/1t5m6cr/gta6_is_already_on_android">r/GTA/comments/1t5m6cr/gta6_is_already_on_android</a></blockquote><script async src="//embed.redditmedia.com/widgets/platform.js" charset="UTF-8"></script><p>Android users are subjected to adware that pretends to offer access to the GTA 6 beta. This is especially clever, as the game is unlikely to ever launch on Android, but fake apps that promise access to the game are still cropping up, as shared by NordVPN as well as various <a href="https://www.reddit.com/r/GTA/comments/1t5m6cr/gta6_is_already_on_android/" target="_blank" rel="nofollow">Reddit users</a>. </p><p>NordVPN downloaded one such file and found the app to be an empty shell that plays a video and then makes you download additional data. The app tries to get users to pay for a subscription or download further malware, and NordVPN traced it back to a domain that's known for distributing banking trojans, ransomware, and infostealers.</p><p>Even Rockstar Social Club accounts aren't safe: phishing pages attempt to steal login credentials, and those accounts, quickly stolen, are often resold or used for in-game scams.</p><h2 id="how-to-stay-safe-2">How to stay safe</h2><p>The general rule of thumb is not to trust anything that didn't come directly from Rockstar Games, the PlayStation Store, or the Xbox Marketplace. <strong>Never download any game-related content from third-party sites</strong>, as even a legitimate-looking site can be a scam.</p><p><strong>Don't trust offers of free beta keys</strong>, either. Follow the official social media channels for these platforms to keep an eye out for legit offers. </p><p>Lastly, <strong>don't share your Rockstar account details</strong> on any websites other than the official site, and <strong>check the URL before you type</strong> them in.</p><p>NordVPN has just <a href="https://www.techradar.com/vpn/vpn-services/protection-needs-to-evolve-nordvpn-rebrands-as-an-all-in-one-vpn-app-for-next-generation-protection">rebranded its Threat Protection suite</a> as next-gen antivirus, so if you want to stay extra safe with a more robust security solution, it's worth checking out.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'Protection needs to evolve' — NordVPN rebrands as an all-in-one VPN app for next-generation protection  ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/vpn/vpn-services/protection-needs-to-evolve-nordvpn-rebrands-as-an-all-in-one-vpn-app-for-next-generation-protection</link>
                                                                            <description>
                            <![CDATA[ The digital security giant is bringing next-gen antivirus, dark web monitoring, and its industry-leading VPN into a single, unified experience. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">xr4DwLxMzWWKG7t9LmwcBM</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ewbjV59riV4dExhBbaawtM-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Wed, 27 May 2026 07:00:00 +0000</pubDate>                                                                                                                                <updated>Wed, 27 May 2026 08:25:37 +0000</updated>
                                                                                                                                            <category><![CDATA[VPN Services]]></category>
                                                    <category><![CDATA[VPN]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/DXDNjzRkphApxN8f5SooCA.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Rene Millman is a seasoned technology journalist whose work has appeared in The Guardian, the Financial Times, Computer Weekly, and IT Pro. With over two decades of experience as a reporter and editor, he specializes in making complex topics like cybersecurity, VPNs, and enterprise software accessible and engaging. &lt;/p&gt;&lt;p&gt;His writing is backed by years of market analysis, allowing him to deliver news and features with an expert’s understanding of the industry.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/ewbjV59riV4dExhBbaawtM-1280-80.png">
                                                            <media:credit><![CDATA[NordVPN]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[NordVPN rebranding, all-in-one app (May 2026)]]></media:description>                                                            <media:text><![CDATA[NordVPN rebranding, all-in-one app (May 2026)]]></media:text>
                                <media:title type="plain"><![CDATA[NordVPN rebranding, all-in-one app (May 2026)]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ewbjV59riV4dExhBbaawtM-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>NordVPN rebrands its app across three pillars: connect, protect, monitor</strong></li><li><strong>Threat Protection's tools are now under a newly launched anti-gen antivirus</strong></li><li><strong>Anti-gen antivirus tools blocked 4.8 million threats in April alone</strong></li></ul><p>NordVPN is officially changing. The cybersecurity giant has announced a major rebrand, shifting its focus from a standalone VPN provider to an all-in-one digital security app.</p><p>The revamped <a href="https://www.techradar.com/reviews/nordvpn">NordVPN</a> application is now organized around three core pillars: "<strong>connect</strong>," which refers to the <a href="https://www.techradar.com/vpn/virtual-private-networks">virtual private network</a> tech; "<strong>protect</strong>," where what's known as the <a href="https://www.techradar.com/vpn/vpn-services/after-a-year-of-using-threat-protection-pro-a-nordvpn-plus-plan-might-be-the-only-black-friday-vpn-deal-i-recommend">Threat Protection</a> suite becomes next-generation antivirus; and "<strong>monitor</strong>," which includes tools like <a href="https://www.techradar.com/vpn/vpn-services/google-killed-its-dark-web-scanner-but-nordvpns-upgraded-tool-is-here-to-track-your-leaked-data">Dark Web Monitor</a>.</p><p>As Marijus Briedis, CTO at NordVPN, said in a press statement: "Such an approach reflects what users increasingly want from digital protection: stronger security, less complexity, and fewer separate tools to install and manage."</p><h2 id="the-need-for-a-next-gen-antivirus">The need for a next-gen antivirus</h2><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:886px;"><p class="vanilla-image-block" style="padding-top:56.21%;"><img id="vuyxrMovXEkAjxzafD682T" name="Image_1" alt="NordVPN next-gen antivirus, promo image May 2026" src="https://cdn.mos.cms.futurecdn.net/vuyxrMovXEkAjxzafD682T.png" mos="" align="middle" fullscreen="" width="886" height="498" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="credit" itemprop="copyrightHolder">(Image credit: NordVPN)</span></figcaption></figure><p>The rebranding of Threat Protection features as next-generation antivirus capabilities is especially significant to grasp how the company is adapting to an online landscape where threats are diversified.</p><p>Many of today's most common and damaging digital dangers, including phishing pages, fake online stores, scam messages, and account takeover attempts, do not rely on downloadable files at all. Instead, modern cybercriminals use deception, compromised credentials, and social engineering to target unsuspecting users.</p><p>Yet, as Briedis explains, people still use the word '<a href="https://www.techradar.com/best/best-antivirus">antivirus</a>' as a "shorthand" for digital security. "Modern protection should address the real risks people face online today, from phishing and scams to malicious downloads. Protection needs to evolve, without compromising the standard of privacy people expect from us," said Briedis.</p><p>Traditional <a href="https://www.techradar.com/best/best-antivirus">antivirus</a> software, in fact, has historically focused on reactive file scanning. NordVPN's next-generation antivirus aims to redefine this concept for private customers. It focuses on proactive, real-time protection to stop <a href="https://www.techradar.com/news/what-is-phishing-and-how-dangerous-is-it">phishing</a>, scams, ads, trackers, and malware before they ever reach a user's device.</p><p>Over the last year, we have tracked how <a href="https://www.techradar.com/vpn/vpn-services/beyond-vpn-protection-how-nordvpn-changed-in-2025-and-whats-in-store-for-2026">NordVPN has steadily integrated</a> broader defense features against online scams and malware. And these tools are already working hard. In April alone, NordVPN's next-gen antivirus tool blocked 4.8 million threats. <a href="https://www.techradar.com/news/what-is-malware-and-how-dangerous-is-it">Malware</a> made up the majority of these blocks, accounting for over 3 million stopped threats.</p><p>Now, those extra layers of defense are taking center stage. A massive evolution for a service that already ranks among the <a href="https://www.techradar.com/reviews/nordvpn">best VPN</a> options on the market.</p><h2 id="privacy-first-security-by-design">Privacy-first security by design</h2><p>One of the biggest concerns for users adopting all-in-one security suites is privacy. Antivirus software historically requires deep system access, which can raise surveillance concerns. </p><p>NordVPN claims its security approach is designed around collecting the minimum signal required to make a threat decision, avoiding turning security tools into surveillance products.</p><p>This privacy-first ethos extends across NordVPN's entire suite, from its core VPN capabilities to its dedicated machine learning models used to catch specific threat categories.</p><p>For users looking to streamline their digital setup, this rebrand also seeks to reduce the clutter of managing multiple subscription services. </p><p>"Consumers should not have to choose between convenience, protection, and privacy," says Briedis. "Our goal is to bring together advanced VPN technology and next-generation antivirus in one streamlined app experience that reduces complexity and better matches how people think about digital safety today."</p><p>This rebrand follows what has already been a highly active period for the provider; you can catch up on their other recent updates in our recap of <a href="https://www.techradar.com/vpn/vpn-services/nordvpn-had-a-busy-start-to-2026-heres-a-recap-of-all-the-releases-you-may-have-missed">everything NordVPN released in early 2026</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Kash Patel's 'BasedApparel' website is apparently hosting ClickFix malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/kash-patels-basedapparel-website-is-apparently-hosting-clickfix-malware</link>
                                                                            <description>
                            <![CDATA[ The malware targets macOS users only and serves commodity infostealers. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Ma45DfZaZxyu4sjyukVJDN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/A33uiNMYWME9b9zkSfwQjD-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 26 May 2026 18:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/A33uiNMYWME9b9zkSfwQjD-1280-80.jpg">
                                                            <media:credit><![CDATA[Future]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Based Apparel]]></media:description>                                                            <media:text><![CDATA[Based Apparel]]></media:text>
                                <media:title type="plain"><![CDATA[Based Apparel]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/A33uiNMYWME9b9zkSfwQjD-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Researcher finds Based Apparel site serving a macOS ClickFix infostealer disguised as a Cloudflare CAPTCHA check</strong></li><li><strong>Victims were tricked into pasting malicious Applescript commands in Terminal, with VirusTotal flagging the malware as a commodity Trojan/infostealer</strong></li><li><strong>The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline after disclosure, linking the incident to broader Ghost CMS exploitation in ongoing ClickFix campaigns</strong></li></ul><p>Based Apparel, an American online clothing company selling patriotic, conservative, and pro–free speech-themed merchandise, was seemingly compromised and used to serve malware through the ClickFix technique - but only macOS users were targeted.</p><p>A researcher with the alias ‘debbie’ disclosed her findings to <a href="https://uk.pcmag.com/security/165117/kash-patels-apparel-site-is-trying-to-trick-visitors-into-installing-malware" target="_blank"><em>PC Mag</em></a>, before sharing video proof on X, after saying she read online about Based Apparel being co-founded by FBI Director Kash Patel and decided to take a closer look.</p><p>“The ClickFix attack just kinda popped up when I was browsing it,” Debbie said in an email. “I took a quick look and it's just a classic infostealer, wrapped twice in base64 (binary-to-text encoding). It's interesting that it's written in Applescript though.”</p><h2 id="links-to-ghost-cms">Links to Ghost CMS?</h2><p>The victims were asked to verify they were human, on a CAPTCHA page seemingly coming from Cloudflare. This spoofed Cloudflare site will tell the victim that “unusual web traffic” was detected, and will ask the victim to confirm they’re human by opening the Terminal and paste a command shared on the page. </p><p>Running the infostealer through VirusTotal, <em>PC Mag</em> found it was flagged by 27 antivirus engines as a Trojan and infostealer, meaning it’s commodity <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> rather than a custom-built solution for targeted attacks. </p><p>Based Apparel is yet to comment, but its website is offline for the time being. At press time, the site showed a “We’ll be right back” message that stated the company is “making improvements”.</p><p>The website is seemingly built using two content management systems - WordPress with WooCommerce for the store functionality, and Ghost CMS for the separate news subdomain.</p><p>Earlier today, we reported that <a href="https://www.techradar.com/pro/security/ghost-cms-flaw-hijacked-to-target-hundreds-of-websites-with-clickfix-attacks-heres-how-to-stay-safe">a critical-severity vulnerability in Ghost CMS</a>, patched in February 2026, was also being abused against more than 700 domains to launch ClickFix attacks. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Ghost CMS flaw hijacked to target hundreds of websites with ClickFix attacks — here's how to stay safe ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/ghost-cms-flaw-hijacked-to-target-hundreds-of-websites-with-clickfix-attacks-heres-how-to-stay-safe</link>
                                                                            <description>
                            <![CDATA[ A critical-level flaw in a popular CMS, patched months ago, is now being abused. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sTs68yar6vmTMgbXLQu4aS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HU8VZ2jkrVAHBpb3Aqqg8j-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 26 May 2026 13:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HU8VZ2jkrVAHBpb3Aqqg8j-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images/Tatiana Maksimova]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Female hands typing on a laptop in neon light. A lock as a symbol of cybersecurity on a foreground.]]></media:description>                                                            <media:text><![CDATA[Female hands typing on a laptop in neon light. A lock as a symbol of cybersecurity on a foreground.]]></media:text>
                                <media:title type="plain"><![CDATA[Female hands typing on a laptop in neon light. A lock as a symbol of cybersecurity on a foreground.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HU8VZ2jkrVAHBpb3Aqqg8j-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Researchers warn CVE‑2026‑26980, a critical SQL injection flaw in Ghost CMS (score 9.4), is being exploited in a large ClickFix campaign</strong></li><li><strong>Over 700 domains, including Harvard, Oxford, DuckDuckGo, and major AI/SaaS firms, were compromised to deliver malware via DLL loaders, JS droppers, and Electron‑based payloads</strong></li><li><strong>Admins should urgently upgrade to Ghost 6.19.1 or later and monitor 30‑day admin API logs to detect potential compromise</strong></li></ul><p>A critical-severity vulnerability that reportedly was patched three months ago is being exploited in a massive ClickFix campaign, researchers have claimed.</p><p>In mid-February 2026, a critical SQL injection vulnerability was found in Ghost CMS, a popular open-source Content Management System (<a href="https://www.techradar.com/best/cms">CMS</a>) currently used by more than 57,000 websites, including the likes of 404 Media, The Canadian government, and Duolingo.</p><p>The flaw, tracked as CVE-2026-26980 and affecting Ghost 3.24.0 through 6.19.0, was assigned a severity score of 9.4/10 (critical), as it potentially allows unauthenticated attackers to perform arbitrary reads from the database, which grants management access to users, articles, themes, as well as article pages. </p><h2 id="deploying-various-malware">Deploying various malware</h2><p>However, many users most likely did not patch, as Chinese cybersecurity firm Qianxin claims more than 700 domains were compromised to serve ClickFix attack flows. </p><p>Among them are Harvard University, Oxford University, Auburn University, DuckDuckGo, and many AI/SaaS company sites, media outlets, fintech firms, and others. </p><p>ClickFix is a type of scam in which attackers tell the victims they have a problem (which they don’t) and then provide the solution (which it really isn’t). The “solution”, however, just deploys a piece of <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>, and depending on the attackers and the targets, it can vary from classic backdoors to ransomware encryptors. </p><p>In this campaign, the researchers saw DLL loaders, JavaScript droppers, and a generic Electron-based malware being distributed. </p><p>The best way to mitigate the threat is to simply upgrade the Ghost CMS either to version 6.19.1, or whatever the latest version is at the moment. Website owners are also advised to keep a 30-day record of admin API call logs, just to keep track of potential compromise.</p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/" target="_blank"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ How .BRANDs improve domain security and user trust – even in an AI world ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/how-brands-improve-domain-security-and-user-trust-even-in-an-ai-world</link>
                                                                            <description>
                            <![CDATA[ .BRAND gTLDs bolster domain security against phishing, fraud and other AI-generated threats. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sB85T8pTjLjtewXgTGzo8W</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UjSNcAZ5SebctebKAMQNVF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 26 May 2026 10:22:32 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Gretchen Olive ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UjSNcAZ5SebctebKAMQNVF-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat]]></media:description>                                                            <media:text><![CDATA[Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat]]></media:text>
                                <media:title type="plain"><![CDATA[Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UjSNcAZ5SebctebKAMQNVF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>At the end of April, the Internet Corporation for Assigned Names and Numbers (ICANN) opened the application period for <a href="https://www.techradar.com/news/best-domain-registrars">domain registrars</a>, to allow companies to register for .BRAND domains for the first time since 2012, allowing organizations to register a new generic top-level domain (gTLD) that matches their trademarked name.</p><p>“Top level” refers to what is typically the “.com,” “.net,” “.gov,” etc. part of a domain. A .BRAND instead features a brand name after the final dot in a domain address, such as https://about.google. </p><p>As a custom domain extension, it is owned and operated by the <a href="https://www.techradar.com/best/best-business-plan-software">business</a> that holds the trademarked name. </p><p>With this, companies take full control over their domain ecosystem by creating, managing and deactivating domains quickly without third-party assistance.</p><p>This means .BRANDS are about much more than a name. The current application period marks a fresh opportunity to future-proof digital assets by carving out a trusted space for company information and partner interactions. Such trust is needed because emerging <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> are triggering increasingly sophisticated cyber attacks and brand infringements by targeting domains. </p><p>Nine out of ten organizations, in fact, have experienced at least one domain name system (DNS) attack, with a $1.1 million average cost per incident. Executive leaders must reassess how to best prepare their own internal, partner and customer infrastructures for the new era of digital threats.</p><h2 id="the-great-promise-of-dot-brands">The great promise of dot BRANDS</h2><p>Dot BRANDS bring great promise to help companies achieve this. They bolster domain <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> against phishing and other types of fraud by mitigating the incidence of lookalike domains. At the same time, they boost brand visibility and placement in search results and AI-generated responses alike.  </p><p>There are more than 400 .BRANDS in global web ranks, including dns.google, home.barclays and group.softbank. To cite one use case example, Microsoft is consolidating Microsoft 365 apps and services under the cloud.microsoft domain. Subsequently, businesses significantly improve domain protection with the following advantages:</p><p></p><p>1. ICANN Specification 13 ensures that a .BRAND domain is exclusively reserved for the trademark holder, eliminating third-party use of the domain. </p><p>2. An official .BRAND enables full traceability and consistency for domain-associated sites, assuring authenticity for any hosted <a href="https://www.techradar.com/web-hosting/best-web-hosting-service-websites">website</a> linked to it.</p><p>3. By operating in this exclusive namespace, organizations reduce exposure to lookalike domains commonly used in phishing, <a href="https://www.techradar.com/best/best-malware-removal">malware</a> and impersonation schemes. As a result, a .BRAND fortifies security, limiting financial and reputational risks.</p><p>4. Users readily distinguish fraud domains from real ones because a .BRAND establishes clear authenticity, a company-controlled online space and, thus, customer trust. What’s more, a .BRAND domain is automatically disassociated from the brand if the content/information cannot be traced to the organization.</p><h2 id="fueling-reliable-ai-llm-results">Fueling reliable AI/LLM results</h2><p>This means businesses can say with confidence, “If it doesn’t end in our .BRAND domain, then it’s not us.” Such confidence extends to the ubiquity of AI/large language models (<a href="https://www.techradar.com/computing/artificial-intelligence/best-llms">LLMs</a>) in multiple ways. </p><p>For starters, .BRANDs create a future-ready, controlled TLD infrastructure with a secure foundation for emerging technologies like AI and LLMs. Because the brand exclusively owns and operates the TLD, every domain published under it is inherently authenticated, giving AI systems a clean, unambiguous signal of origin when crawling and sourcing content.</p><p>An organization’s domain ecosystem plays a major role in influencing whether AI tools will use its content as a source. In gathering information to generate responses, LLMs and AI search engines increasingly rely on digital signals that are verified and contain reliable content, not those that appear to be fraudulent and/or contain inaccurate information. An ability to identify legitimate sources plays a crucial role here, especially given the wealth of AI-generated misinformation out there.</p><p>By definition, content hosted on a .BRAND website is verifiable and authentic. It would not exist if not for the indisputable confirmation associated with a legitimate organization. Beyond security, this establishes a strong signal for AI search results/response rankings, with .BRANDs emerging as machine-readable trust signals to optimize algorithmic rankings.</p><h2 id="seizing-a-rare-domain-opportunity">Seizing a rare domain opportunity</h2><p>A .BRAND is not a short-term marketing initiative; it is a long-term strategic position. It is distinctive, secure and easily identifiable as authentic by both humans and machines – delivering a decided, competitive advantage in the AI race. Indeed, a .BRAND indicates that your company is considered a market leader focused on innovation, with a lasting commitment to domain defense, brand control and digital strategy.</p><p>That said, pursuing a .BRAND is a significant undertaking. Applicants must hold a registered trademark for the desired extension, and the costs are considerable. These .BRANDs are most viable for larger organizations with legally defensible brand names and the resources to transition to and maintain a TLD long-term. For those that qualify, however, the investment secures a level of digital ownership that no other domain strategy can match.</p><p>It’s been 14 years since the last application window opened, and there may not be another opportunity in the foreseeable future after the current one closes on August 12 this year. Therefore, executive leaders should seize the moment to assess whether now is the time to ensure greater control over their brand’s digital identity – and position their organization as forward-thinking and authoritative.</p><p><em></em><a href="https://www.techradar.com/news/the-best-website-builder"><em>We feature the best website builders</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ GitHub confirms breach — thousands of internal repositories hit after employee installs malicious VS Code extension ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/github-confirms-breach-thousands-of-internal-repositories-hit-after-employee-installs-malicious-vs-code-extension</link>
                                                                            <description>
                            <![CDATA[ TeamPCP continues its attack on open source projects, now apparently asking for $50,000. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">C22m7CB6ZxaQKTfiyrXJ57</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 21 May 2026 13:20:00 +0000</pubDate>                                                                                                                                <updated>Fri, 22 May 2026 08:18:11 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH-1280-80.jpg">
                                                            <media:credit><![CDATA[Gil C / Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[GitHub Webpage]]></media:description>                                                            <media:text><![CDATA[GitHub Webpage]]></media:text>
                                <media:title type="plain"><![CDATA[GitHub Webpage]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>GitHub confirms an employee’s compromised device led to exfiltration of internal repositories via a poisoned VSCode extension</strong></li><li><strong>Threat actors TeamPCP are selling an archive of roughly 4,000 repos on the dark web, asking $50,000 with samples shared for proof</strong></li><li><strong>The group is also behind recent npm supply‑chain attacks, highlighting its ongoing campaign against developer ecosystems</strong></li></ul><p>GitHub, one of the biggest <a href="https://www.techradar.com/best/best-open-source-software">open source</a> code repositories in the world, has confirmed being hit by a cyberattack which saw its sensitive data stolen. </p><p>In a short announcement on <a href="https://x.com/github/status/2056884788179726685" target="_blank" rel="nofollow">X</a>, GitHub saidone of its employees had their device compromised when they downloaded a poisoned VSCode extension. </p><p>The company removed the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>, isolated the endpoint, and started an investigation, which determined the attacker exfiltrated some sensitive data.</p><h2 id="teampcp-takes-the-blame">TeamPCP takes the blame</h2><p>“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” Github noted. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”</p><p>In response, GitHub rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor follow-on activity. “We will take additional action as the investigation warrants,” it concluded. </p><p>An archive of roughly 4,000 repositories is reportedly being offered for sale on the dark web, by threat actors known as TeamPCP, with <a href="https://cyberinsider.com/github-confirms-internal-repository-theft-as-teampcp-claims-attack/"><em>CyberInsider</em></a> claiming the group is asking for $50,000 in exchange for the archive, but apparently, no ransom note was left. </p><p>“There is a total of around ~4,000 repos of private code here,” the crooks allegedly said. They also shared samples, to prove the authenticity of their claims. If no one buys the stash soon, the attackers said they would leak it to the dark web for free. </p><p>Besides ShinyHunters, TeamPCP is currently one of the most active groups out there. It is responsible for <a href="https://www.techradar.com/pro/security/mini-shai-halud-hackers-publish-over-600-compromised-npm-packages-developers-warned-to-be-on-their-guard" target="_blank">Shai-Hulud</a> and Mini Shai-Hulud campaigns, in which they compromised countless GitHub and npm repositories, and used them to push malware to possibly thousands of projects.</p><p>It recently published more than 600 malicious packages to the npm registry, targeting more than 300 unique packages. By stealing login credentials and access tokens, the miscreants access legitimate packages and update them to push infostealer malware, grabbing credentials, and compromising CI/CD environments.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Why our national sovereignty depends on cyber resilience ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/why-our-national-sovereignty-depends-on-cyber-resilience</link>
                                                                            <description>
                            <![CDATA[ Shared cyber resiliency is an imperative for our wider national sovereignty and security. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">hjDasepng7GjNMtGmwyaFH</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/GwfBA5FJJWQSsrqCuLz3gL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 21 May 2026 10:44:27 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Mike Sewart ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/GwfBA5FJJWQSsrqCuLz3gL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A portion of the globe with countries lit up by their lights at night, and with dotted lights criss-crossing the image connecting the countries]]></media:description>                                                            <media:text><![CDATA[A portion of the globe with countries lit up by their lights at night, and with dotted lights criss-crossing the image connecting the countries]]></media:text>
                                <media:title type="plain"><![CDATA[A portion of the globe with countries lit up by their lights at night, and with dotted lights criss-crossing the image connecting the countries]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/GwfBA5FJJWQSsrqCuLz3gL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>From our energy infrastructure, through to the systems responsible for our telecommunications, transport and utilities, a core set of services are essential to keeping our society running.</p><p>World events have rightly put Britain’s defense capabilities under renewed attention, but our national sovereignty is maintained just as much by the cyber resiliency of these critical systems as much as it is by nuclear deterrents, submarines and physical military hardware.</p><p>Operational Technology (OT) systems control power generation, transmission, distribution and gas transport safely and reliably. The increasing digitization and connection of these systems is seeing cyber risk emerge, whether it’s from the exploitation of unpatched vulnerabilities, phishing, or <a href="https://www.techradar.com/best/best-malware-removal">malware</a> attacks. </p><p>Launched by nation-state groups, or criminal elements employed as proxies, they are among the most significant threats to the industry, as they hope to trigger knock-on effects and cause severe disruption to everyday life.</p><p>A combination of internal gaps in strategy, <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> capabilities, and outdated technology, is leaving our energy grid vulnerable. Once compromised, the intention with many of these actors is to persist and maintain a presence within these systems, learning and capturing as much information as they can over time without being detected.</p><p>Automation is on their side, lowering the barrier to entry in getting attacks off the ground for opportunistic and commercially-motivated groups, as well as enabling further adaptation and evolution of malware. There are also risks with AI as it becomes embedded into enterprises.</p><p>Thales’ recent Data Threat Report, for example, found 61% of organizations globally rank AI as their top data security threat, as these automated systems are increasingly granted broad access to enterprise data.  </p><h2 id="operational-simulation-to-validate-cyber-resilience">Operational simulation to validate cyber resilience</h2><p>The scale and frequency of these risks underscore the importance of planning and simulating responses in as much detail as possible, and to this end, digital twins have become an increasingly popular tool in many industrial sectors.</p><p>Linking to <a href="https://www.techradar.com/best/best-data-recovery-software">data</a> gathered from a target environment, it allows for the creation of a perfect digital representation of a real object or process.</p><p>It’s here that cyber risk must be considered alongside engineering and operational risk, with governance frameworks that make sure cybersecurity supports wider safety and operational security.</p><p>As part of the validation, leaders also need to ensure that personnel can respond safely and effectively during incidents.</p><p>By working in a sandboxed environment, <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> teams responsible for critical energy networks can model attacks from ransomware outbreaks to insider attacks without risking downtime or data loss.</p><p>Ongoing testing and validation ensure security controls remain effective as systems evolve, because networks are continuously evolving. New assets are deployed, systems are upgraded, and operational requirements change - meanwhile resilience must be continuously maintained. </p><p>Going a level further, the operators of power grids, rail networks and water suppliers are often managing their digital and physical assets independently.</p><p>If we can integrate these various digital twins together, decision makers can suddenly see a shared, simulated and real-time model of the entire system, allowing for impact analysis should a problem emerge. </p><h2 id="a-unified-national-response-to-cyberattacks">A unified national response to cyberattacks</h2><p>Adequately addressing cyber risk to critical <a href="https://www.techradar.com/best/best-infrastructure-management-service">infrastructure</a> also requires a cultural shift in how these organizations deal with and react to the data about the attacks they face. </p><p>With priority given to confidentiality and secrecy, it means this is often hoarded and kept within a given organization, meaning each sector is left to deal with problems in isolation.</p><p>Threat actors know this and are keen to exploit it – after all, threats do not respect organizational boundaries. They’re moving at machine speed, while defense often moves at the speed of bureaucracy.</p><p>Whether it was successful or not, each unreported attack is a missed opportunity to refine security strategies, share knowledge, and enhance the overall resilience of the sector. Critical national infrastructure operators and suppliers must collaborate closely to identify and close these security blind spots.</p><h2 id="from-information-silos-to-networked-intelligence">From information silos to networked intelligence</h2><p>Building and sharing more of these capabilities across sectors puts us in a position where if a new malware signature is detected by one utility company, everyone else, from transport to defense and energy, can be immunized against that threat within milliseconds.</p><p>Mandated incident reporting, as the UK Government proposes for high-risk sectors and essential infrastructure, is a welcome move in the right direction.</p><p>Ofgem, the UK’s energy regulator, meanwhile, has strengthened its expectations around cyber resilience, shifting its emphasis from compliance to demonstrable operational capability and preparedness.</p><p>At CYBER UK this year, we talked a lot about how no single sector can meet this challenge in isolation. Critical infrastructure, public services, and private enterprises alike are all connected by digital ecosystems – and associated cyber risks. </p><p>Building shared resiliency into critical infrastructure is an imperative for our wider national sovereignty and security. It will take structural changes, from proactive security measures through to cultural shifts, to ensure our cyber expertise is up to the task of meeting what lies ahead.</p><p><em></em><a href="https://www.techradar.com/best/best-encryption-software"><em>We've featured the best encryption software.</em></a></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft takes down 'Fox Tempest' cybercrime service which used legitimate platforms to hide dangerous malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/microsoft-takes-down-fox-tempest-cybercrime-service-which-used-legitimate-platforms-to-hide-dangerous-malware</link>
                                                                            <description>
                            <![CDATA[ Fox Tempest created more than a thousand fake certificates, helping distribute Lumma, Vidar, and countless other malware. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dh2VEdkuw25daubKqERQBj</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 20 May 2026 16:30:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:description>                                                            <media:text><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:text>
                                <media:title type="plain"><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Microsoft disrupts Fox Tempest operation which abused Azure Artifact Signing to issue fraudulent code‑signing certificates</strong></li><li><strong>The group created over 1,000 certificates and hundreds of Azure tenants, enabling malware campaigns to bypass security controls</strong></li><li><strong>Legal action was launched against Fox Tempest and Vanilla Tempest, whose services supported major malware and ransomware distribution</strong></li></ul><p>Microsoft has taken down a malicious service that offered digitally signed certificates to hackers, and has launched a legal case against the operation’s perpetrators.</p><p>In its <a href="https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" target="_blank" rel="nofollow">report</a> the company said a threat actor known as Fox Tempest used Azure Artifact Signing to create temporary certificates. These certificates allowed malware to be signed as legitimate software, bypassing antivirus protections and compromising victim devices.</p><p>To access the service, the miscreants allegedly used different identities, stolen from people in the United States and Canada. To minimize the chances of being spotted, they created certificates that were only valid for 72 hours - however, during their work, the attackers created more than 1,000 certificates, as well as hundreds of <a href="https://www.techradar.com/reviews/microsoft-azure" target="_blank">Azure</a> tenants and subscriptions.</p><h2 id="high-profile-customers">High-profile customers</h2><p>"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said in the report.</p><p>"In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use."</p><p>As part of the takedown effort, Microsoft seized the signspace[dot]com domain, as well as hundreds of virtual machines. It also blocked access to infrastructure that hosted the entire service.</p><p><em></em><a href="https://www.bleepingcomputer.com/news/security/cybercrime-service-disrupted-for-abusing-microsoft-platform-to-sign-malware/" target="_blank"><em>BleepingComputer</em></a> notes some of the biggest <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> and ransomware campaigns used Fox Tempest’s services, including LummaStealer, Vidar, Qilin, BlackByte, and Akira. Vanilla Tempest was named as a co-conspirator in the legal action, it was further stated, since it allegedly distributed both malware and ransomware. </p><p>Some of the fake apps being distributed this way included Teams, AnyDesk, and Webex.</p><p>"When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware," Microsoft explained. </p><p>“Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mini Shai-Halud hackers publish over 600 compromised npm packages — developers warned to be on their guard ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/mini-shai-halud-hackers-publish-over-600-compromised-npm-packages-developers-warned-to-be-on-their-guard</link>
                                                                            <description>
                            <![CDATA[ The Shai-Hulud campaign continues, now affecting hundreds of new packages and potentially compromising thousands of projects. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">KqAQQ5WFNCieg2bLvDvYWN</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/egLHa7RH89opTZtTLW95wE-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 20 May 2026 15:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/egLHa7RH89opTZtTLW95wE-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/egLHa7RH89opTZtTLW95wE-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>More than 600 malicious npm packages were published in a coordinated supply‑chain attack linked to TeamPCP’s Shai‑Hulud campaign</strong></li><li><strong>The attackers compromised ecosystems including TanStack, Mistral, and antv, introducing infostealers and persistence mechanisms in developer environments</strong></li><li><strong>Developers are advised to roll back to safe versions released before May 18 and rotate any exposed credentials</strong></li></ul><p>Cybercriminals published more than 600 malicious packages to the npm registry in a coordinated software supply-chain attack linked to the Shai-Hulud campaign.</p><p>Multiple security organizations, including Socket, confirmed that on May 19 2026, in just one hour, malicious actors managed to publish 639 versions of 323 unique packages on npm, targeting software developers, open-source maintainers, organizations running CI/CD pipelines, and everyone else who downloaded, or depends, on the compromised npm packages. </p><p>Shai-Hulud is a <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> campaign conducted by a threat actor known as TeamPCP. By stealing login credentials and access tokens, the miscreants access legitimate packages and update them to push infostealer malware, grabbing credentials, and compromising CI/CD environments.</p><h2 id="major-downstream-risk">Major downstream risk</h2><p>So far, TeamPCP compromised an undisclosed number of npm packages, but we know that at least some of them are from TanStack-related and Mistral-related ecosystems - with <a href="https://www.techradar.com/pro/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack-but-says-no-user-data-was-affected" target="_blank">OpenAI</a> one of the companies that confirmed suffering exposure as a result of the Shai-Hulud campaign.</p><p>In the latest attack, the threat actors targeted the antv ecosystem, into which thousands of GitHub repositories were later automatically created using stolen credentials. The campaign also introduced fake-looking package provenance signatures and new persistence mechanisms targeting VS Code and Claude Code environments.</p><p>The report does not say how many times the malicious package versions were actually downloaded, but it does stress the normal popularity of some affected packages. For example, the jest-canvas-mock package gets around 10 million monthly downloads, which suggests that the attack surface is extremely large.</p><p>Security researchers stressed that the full impact of the campaign is not yet known, mostly because we don’t know the number of downstream infections. However, supply-chain attacks like this one can be particularly dangerous, as just one compromised maintainer account can affect thousands of projects through automated package updates. </p><p>Developers who downloaded infected packages should remove or roll back to safe versions published before May 18, as well as rotate any potentially exposed credentials.</p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/new-shai-hulud-malware-wave-compromises-600-npm-packages/" target="_blank"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mac users beware — this devious new infostealer malware disguises itself as official Apple tools to lure in victims ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/mac-users-beware-this-devious-new-infostealer-malware-disguises-itself-as-official-apple-tools-to-lure-in-victims</link>
                                                                            <description>
                            <![CDATA[ SentinelOne found a new variant of the SHub macOS infostealer called Reaper. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kW8S8uBYsidJsBLr2no79k</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/o3U2t4BxoC8wMpEHpLqKMd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 19 May 2026 10:00:53 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/o3U2t4BxoC8wMpEHpLqKMd-1280-80.jpg">
                                                            <media:credit><![CDATA[Berat Bozkurt on Unsplash]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The menu bar running in macOS.]]></media:description>                                                            <media:text><![CDATA[The menu bar running in macOS.]]></media:text>
                                <media:title type="plain"><![CDATA[The menu bar running in macOS.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/o3U2t4BxoC8wMpEHpLqKMd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>SentinelOne uncovers new SHub macOS infostealer variant dubbed Reaper, spread via typosquatted WeChat and Miro domains</strong></li><li><strong>The malware disguises itself with fake Apple and Google update components, establishing persistence and backdoor access</strong></li><li><strong>Reaper targets browser credentials, crypto wallets, password managers, and sensitive documents, with signs of Russian‑speaking operators avoiding CIS systems</strong></li></ul><p>Cybersecurity researchers from SentinelOne have discovered a new variant of the notorious SHub macOS infostealer malware called ‘Reaper’.</p><p>In a new <a href="https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/" target="_blank">report</a> SentinelOne said it observed typosquatted domains spoofing popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online visual collaboration and whiteboard platform).</p><p>Victims using <a href="https://www.techradar.com/news/computing/apple/mac-buyer-s-guide-2015-1295725" target="_blank">macOS</a> and looking to install these apps will trigger an infection chain that constantly changes its disguise to make the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> look legitimate at every stage of attack. After launching the script, it will display a fake update message referencing Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a genuine Google software update component. </p><h2 id="avoiding-the-russians">Avoiding the Russians</h2><p>It will store a backdoor in a fake “GoogleUpdate” directory and register a LaunchAgent named “com.google.keystone.agent.plist,” the researchers said.</p><p>The goal of the campaign is to steal credentials and sensitive files, as well as cryptocurrency wallets. While SentinelOne does not attribute the attack to any specific group or threat actor, it did say there were several hints suggesting the operators may be Russian speaking (or are, at least, trying to avoid targets in former Soviet states). </p><p>The malware checks whether the infected system uses Russian input sources and exits if it detects systems in the CIS (Commonwealth of Independent States) region. SentinelOne also said that when they tried to bypass the malware’s anti-analysis protection, a fake website displayed a Russian “Access Denied” message. </p><p>The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business-related data, stealing browser credentials, crypto wallet data, login keychains, Telegram session data, and documents from the Desktop and Documents folders.</p><p>It also searches for browser extensions linked to password managers such as 1Password, Bitwarden, and LastPass, along with cryptocurrency wallets like MetaMask and Phantom.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/this-devious-android-malware-has-returned-disguised-as-tiktok-or-streaming-apps-and-is-now-using-blockchain-to-remain-undetected</link>
                                                                            <description>
                            <![CDATA[ A fake TikTok app is actually a banking trojan enabling credential theft and wire fraud. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">GzPqouc6JbueJLDC254SYm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 12 May 2026 18:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg">
                                                            <media:credit><![CDATA[wk1003mike / Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Trojan]]></media:description>                                                            <media:text><![CDATA[Trojan]]></media:text>
                                <media:title type="plain"><![CDATA[Trojan]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>ThreatFabric spotted new TrickMo.C variant targeting Android users in Europe</strong></li><li><strong>Disguised as TikTok/streaming apps, it steals credentials, intercepts SMS, suppresses OTPs, and enables live surveillance</strong></li><li><strong>Victims are mostly situated in France, Italy and Austria</strong></li></ul><p>Android users across Europe are being targeted with a new variant of a decade-old banking trojan, researchers have revealed.</p><p>ThreatFabric has <a href="https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app" target="_blank">explained</a> how it has been tracking a banking trojan called TrickMo.C, since January 2026.</p><p>TrickMo is an Android banking trojan that was first spotted in September 2019, but since then has been in active development, constantly receiving upgrades and new features. By 2024, there were more than 40 TrickMo variants in existence, being delivered through more than a dozen droppers, and communicating with 22 separate command-and-control (C2) infrastructures.</p><h2 id="extracting-secrets-from-the-french-italians-and-austrians">Extracting secrets from the French, Italians, and Austrians</h2><p>This latest version is being disguised as TikTok and streaming apps. The exact deployment mechanism is unknown, but it’s safe to assume the crooks are advertising it on third-party app repositories, on Telegram and social media channels, as well as through phishing and SEO poisoning.</p><p>When installed on the target device, TrickMo.C creates a phishing overlay through which it can harvest login credentials and other valuable secrets. It can also log keys, taps, and strokes, record the screen, livestream the contents directly to the attackers, and intercept SMS messages. It can suppress OTP notifications, modify the users’ clipboard, filter notifications, and send screenshots.</p><p>All of this allows the attackers to steal credentials, log into people’s bank accounts and crypto wallets, make payments and wire transfers, while keeping the victims entirely in the dark. The victims are mostly located in France, Italy, and Austria, it was said. </p><p>What makes TrickMo.C stand out compared to previous versions is that it communicates with its operator via TON, a decentralized peer-to-peer network originally developed around the Telegram ecosystem. Instead of using publicly exposed servers, users communicate with the web through an encrypted overlay network. </p><p>The operators use ADNL addresses routed through an embedded local TON proxy that runs on the infected endpoint.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Experts warn of 'highly sophisticated' weaponized JPEG campaign used to send out ScreenConnect malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/experts-warn-of-highly-sophisticated-weaponized-jpeg-campaign-used-to-send-out-screenconnect-malware</link>
                                                                            <description>
                            <![CDATA[ Hackers are targeting enterprises with a jpeg file, establishing persistence and elevating privileges. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">SJP7XQrpdrD85kQVAm2ad5</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/x4SmwpYXk8yGgDmYCVeckL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 12 May 2026 10:00:41 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/x4SmwpYXk8yGgDmYCVeckL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it]]></media:description>                                                            <media:text><![CDATA[A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it]]></media:text>
                                <media:title type="plain"><![CDATA[A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/x4SmwpYXk8yGgDmYCVeckL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Attackers weaponized a .jpeg file to deliver PowerShell payloads, trojanized ScreenConnect, and establish persistence</strong></li><li><strong>The malware enables credential theft, encrypted C2 comms, and surveillance features </strong></li><li><strong>Cyfirma warns the campaign reflects a mature intrusion framework</strong></li></ul><p>Be careful when downloading files from the internet, as even innocent .jpeg files can actually contain malware, experts have warned.</p><p>Security researchers Cyfirma <a href="https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/" target="_blank" rel="nofollow">published</a> an in-depth report on a brand new hacking campaign they named “Operation SilentCanvas”. While we don’t know the number of infections, or successfully compromised victims, the researchers said the campaign likely targets enterprises and other organizations using remote administration tools.</p><p>The attack starts when the victim receives the weaponized .jpeg file. Again, we don’t know the exact delivery mechanism, but Cyfirma speculates the file is delivered either via phishing emails with malicious attachments, deceptive file-sharing interactions, or fake software and update lures. </p><h2 id="professionally-engineered-and-operationally-mature-intrusion-framework">"Professionally engineered and operationally mature intrusion framework"</h2><p>In any case, when the victim runs the file, named ‘sysupdate.jpeg’, it actually executes a malicious PowerShell payload which does a number of things: it downloads additional payloads from the attacker’s infrastructure; deploys a trojanized version of ConnectWise ScreenConnect for covert remote access; bypasses Windows security protections and elevates privileges by adding malicious Registry entries; and establishes persistence via a fake Windows service named OneDriveServers.</p><p>The <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> also enables encrypted communications with the command-and-control (C2) infrastructure, steals credentials, and fingerprints the system. Other supported features include screen capture, microphone capture, and clipboard monitoring.</p><p>“The overall tradecraft reflects a professionally engineered and operationally mature intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, enterprise espionage, and potential ransomware deployment within enterprise environments,” Cyfirma concluded, without naming the group, or even linking it to a specific country, or region.</p><p>To defend against this campaign, security experts should keep an eye on commonly abused Windows binaries, including csc.exe, cvtres.exe, or ComputerDefaults.exe. If possible, these should be blocked entirely. Remote access platforms should be strictly controlled, and detection rules for suspicious PowerShell behavior set up. </p><p>Finally, any system that displays unexpected ScreenConnect activity should be sealed off immediately. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ A fake OpenAI repository has taken top spot on Hugging Face — but all it does is push infostealer malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/a-fake-openai-repository-has-taken-top-spot-on-hugging-face-but-all-it-does-is-push-infostealer-malware</link>
                                                                            <description>
                            <![CDATA[ Its popularity may have been faked, though, as the "likes" all came from auto-generated accounts. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vPUYUUQayK4pMT6ZiaxU3S</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/PAztEScphfxGJfYno5NjrL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 11 May 2026 15:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/PAztEScphfxGJfYno5NjrL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A robot standing thoughtfully in front of a giant digital display with code on it]]></media:description>                                                            <media:text><![CDATA[A robot standing thoughtfully in front of a giant digital display with code on it]]></media:text>
                                <media:title type="plain"><![CDATA[A robot standing thoughtfully in front of a giant digital display with code on it]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/PAztEScphfxGJfYno5NjrL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Attackers typosquatted an OpenAI repo on HuggingFace, distributing an infostealer disguised as a “privacy filter” model</strong></li><li><strong>The malware disabled SSL checks, escalated privileges, and deployed the </strong><em><strong>sefirah</strong></em><strong> payload to steal credentials, crypto wallets, and system data</strong></li><li><strong>The fake repo hit 244,000 downloads and briefly topped HuggingFace rankings before removal, with other linked malicious repos also taken down</strong></li></ul><p>Cybercriminals were able tp spoof OpenAI products to distribute an infostealer malwar to more than 240,000 computers before being spotted and eliminated, experts have warned.</p><p>Security researchers HiddenLayer said they spotted a new repository on HuggingFace called Open-OSS/privacy-filter.</p><p>The privacy filter repository is, according to HiddenLayer, a typosquatted version of the official release, which came with a model card that was copied “nearly verbatim”. The loader.py file that was shipped in it fetches and executes an infostealer, they added. </p><h2 id="rising-to-the-top">Rising to the top</h2><p>Before dropping the infostealer, the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware </a>first disabled SSL verification, decoded a base64 URL, and from it downloaded a JSON payload with a PowerShell command. This command, in turn, downloaded a batch file that escalated privileges, deployed the ‘sefirah’ payload, added it to Microsoft Defender’s exclusion list, and then ran it. </p><p>The infostealer itself does what most infostealers do - grabs data saved in browsers, exfiltrates discord tokens, local databases, and master keys, steals cryptocurrency wallet information, browser extension data, SSH, FTP, VPN credentials, as well as sensitive files stored locally. It can also grab screenshots, exfiltrate system information, and more. </p><p>The download count on the fake repository is massive - 244,000 downloads in mere days. </p><p>However, this doesn’t mean every download led to an infection. <a href="https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/" target="_blank"><em>BleepingComputer</em></a>says the download numbers may have been inflated, and that the repository itself was “liked” by 667 auto-generated accounts. Still, even if it was all fake, the repository still managed to hit #1 on Hugging Face for a brief moment, which definitely could have lead to infections. </p><p>However, by following the trail of the fake accounts, HiddenLayer was able to expose other, less-successful repositories, which were also malicious and used the same infrastructure. All of these have since been removed from the platform.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Top download manager JDownloader hacked — installers replaced with dangerous malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/top-download-manager-jdownloader-hacked-installers-replaced-with-dangerous-malware</link>
                                                                            <description>
                            <![CDATA[ Between May 6 and 7, it was dangerous to install JDownloader from alternative links on the site. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">4C3L2WBvp9imvne7zDKCEm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/DVYr26EgcJb68CRrjxuAW4-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 11 May 2026 13:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/DVYr26EgcJb68CRrjxuAW4-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer]]></media:description>                                                            <media:text><![CDATA[Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer]]></media:text>
                                <media:title type="plain"><![CDATA[Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/DVYr26EgcJb68CRrjxuAW4-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Attackers exploited a CMS flaw to replace Windows and Linux installer links with malware‑laden versions between May 6–7, 2026</strong></li><li><strong>The poisoned installers deployed a Python‑based RAT via a loader, while other distribution channels (macOS, JAR, Snap, etc.) remained safe</strong></li><li><strong>AppWork advises verifying digital signatures (“AppWork GmbH”) to avoid tampered builds; the site has since been secured</strong></li></ul><p>Popular download manager JDownloader recently had its website hacked and hijacked to deploy malware to Windows and <a href="https://www.techradar.com/best/best-linux-distros-for-windows-users">Linux</a> users. </p><p>As explained by owner AppWork, unidentified attackers found a vulnerability in the website’s content management system (<a href="https://www.techradar.com/best/cms">CMS</a>), and used it to swap out the download links for a pair of variants:</p><p>"Changes were made through the website's content management system, affecting published pages and links," AppWork said in its incident report. "The attacker did not gain access to the underlying server stack — in particular no access to the host filesystem or broader operating-system-level control beyond CMS-managed web content."</p><h2 id="checking-the-digital-signature">Checking the digital signature</h2><p>Anyone who clicked on the alternative Windows installer download links, or the Linux shell installer link, between May 6 and May 7, 2026, was redirected to a third-party server hosting a malicious version of the software. This version was poisoned to include a loader that deployed a heavily obfuscated Python-built Remote Access Trojan (RAT). </p><p>Other downloads, including in-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JDownloader JAR package were not tampered, AppWork confirmed. </p><p>It also said the best way to make sure you’re using the right installer is to double-check its digital signature. That can be done by right-clicking on the executable, navigating to Properties, and then the Digital Signatures tab. The program needs to show it was signed by “AppWork GmbH”, otherwise it’s definitely <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>. </p><p>On Reddit, users who downloaded the tainted versions saw the developer being listed as 'Zipline LLC,' and 'The Water Team'. Luckily enough, Windows Defender flagged the program as malicious, protecting the users.  </p><p>The website was temporarily turned off, allowing the company to plug the hole and clean up the links.</p><p><em>Via </em><a href="https://www.bleepingcomputer.com/news/security/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware/" target="_blank"><em>BleepingComputer</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'Threat actors are clearly adapting to the widespread interest in popular AI tools': AI fans beware, hackers create a fake Claude site to spread backdoor malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/threat-actors-are-clearly-adapting-to-the-widespread-interest-in-popular-ai-tools-ai-fans-beware-hackers-create-a-fake-claude-site-to-spread-backdoor-malware</link>
                                                                            <description>
                            <![CDATA[ Sophos found a fake Claude website deploying a simple but effective RAT. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qKnyW46inYpSrX2XYBAUAR</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 08 May 2026 16:10:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg">
                                                            <media:credit><![CDATA[wk1003mike / Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Trojan]]></media:description>                                                            <media:text><![CDATA[Trojan]]></media:text>
                                <media:title type="plain"><![CDATA[Trojan]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>A spoofed site (</strong><em><strong>claude-pro[.]com</strong></em><strong>) delivers poisoned installers that sideload DonutLoader and the Beagle backdoor</strong></li><li><strong>The operation mimics legitimate Claude software, likely tied to PlugX operators using DLL sideloading</strong></li><li><strong>Researchers warn of malicious ads and SEO poisoning, urging users to verify links before downloading</strong></li></ul><p>If you’re looking to download the Claude client on Windows, be careful, because there are fake and malicious versions out there looking to exploit interest in new AI models.</p><p>Security researchers from Sophos have <a href="https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor" target="_blank">flagged</a> how one such alleged Claude Pro offering led them to a website “claude-pro[.]com”. The site itself was built to look identical to the legitimate claude.ai official website, but the researchers determined it was fake rather quickly, as none of the links or buttons on the site, aside from the download one, worked - all redirecting back to the homepage.</p><p>Those who didn’t spot the scam, and clicked the download button, would end up with a working version of Claude - however, one which had been poisoned to also deliver an updater, and a DLL file. In classic DLL sideloading fashion, the updater runs the malicious DLL which, in turn, deploys a loader malware called DonutLoader.</p><h2 id="dropping-beagle">Dropping Beagle</h2><p>This tool, in turn, fetched a “relatively simple backdoor” called Beagle, capable of running commands, uploading and downloading files, creating directories, uninstalling agents, and more. </p><p>Sophos could not attribute this campaign to any particular threat actor, but they did say that it was most likely operated by the same people who are running PlugX. </p><p>PlugX is a remote access trojan (RAT) usually used by Chinese state-linked threat groups to spy on victims, steal data, and maintain persistent access to compromised systems. The <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> is described as being highly adaptable and modular, allowing attackers to execute commands, capture screenshots, log keystrokes, and move laterally across networks. It has been active for more than a decade and is one of the longer-running RATs out there. </p><p>The attackers most likely planned to run malicious ads and SEO poisoning to reach their targets, so make sure to double-check the links in your search engine before visiting any websites.</p><div style="min-height: 250px;">                                <div class="kwizly-quiz kwizly-WwnQze"></div>                            </div>                            <script src="https://kwizly.com/embed/WwnQze.js" async></script>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI-driven cyber warfare reshapes global defense readiness ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/ai-driven-cyber-warfare-reshapes-global-defense-readiness</link>
                                                                            <description>
                            <![CDATA[ The Iran conflict is exposing how AI is transforming cyber warfare, and testing global defenses in real time. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">32hgGRtr2V2P9HGAQta2DD</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 08 May 2026 09:15:28 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ziv Mador ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:description>                                                            <media:text><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:text>
                                <media:title type="plain"><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Iran conflict is serving as an AI testbed for the next era of cyber conflict. Most organizations are watching the tactics and impact unfold with <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a> defenses that are simply not prepared for this level of sophistication. </p><p>Meanwhile, technology leaders are seeing AI as both their biggest opportunity and a major new attack vector. Despite this recognition of AI as both notable ally and foe, only one in five CIOs feels highly effective at defending against AI-enabled adversaries. </p><p>Concurrently, state-backed groups on all sides are already using AI-enhanced tooling to run highly targeted phishing attacks, moving quickly through networks and hitting critical <a href="https://www.techradar.com/best/best-infrastructure-management-service">IT infrastructure</a>.</p><p>Put simply, the AI-powered cyber arms race has moved beyond the theoretical and well into a live-testing phase, in a real conflict zone. </p><h2 id="cyber-as-the-first-mover">Cyber as the first mover</h2><p>Cyber operations are now an intrinsic part of warfare. US commanders have called cyber and space units the “first movers”, used to blind Iranian systems, cut communications, and shape the battlefield before and during airstrikes. </p><p>According to LevelBlue’s analysis, large <a href="https://www.techradar.com/news/best-ddos-protection">DDoS</a> attacks, deep hacks into energy and telecoms and manipulation of mobile apps drove Iran’s internet connectivity down to about 4% of normal during the first waves of strikes. It’s clear is that cyber can no longer be thought of as a passive defense tactic.</p><p>The same dynamics can now be seen mirrored in Iran’s response. Iranian APTs (Advanced Persistent Threats) like MuddyWater, Charming Kitten, OilRig and Elfin have shifted from quiet pre-positioning to more aggressive cyberattack campaigns, using AI-assisted tooling like GhostFetch and RustyWater. </p><p>These <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> automate scouting, create convincing phishing lures and spread quickly through networks. Business leaders are learning in real time that in a crisis, cyber strikes hit first to blind, confuse decisions and set the scene for future attacks. </p><p>If their organization is unable to detect and respond to said strikes at machine-speed, they are already two steps behind.</p><h2 id="the-reality-of-ai-accelerated-attacks">The reality of AI-accelerated attacks</h2><p>The ongoing Iran conflict offers a concrete preview of how AI and cyber tactics will interact in future conflicts. War has moved off the battleground onto computer screens and lines of code. </p><p>On the offensive side, AI helps sift <a href="https://www.techradar.com/best/best-open-source-software">open-source</a> intelligence, satellite images and telemetry to spot targets faster. This is in line with what US officials have hinted at when talking about “finding and fixing” Iranian military assets.</p><p>On the defensive and retaliatory side, Iranian hackers and <a href="https://www.techradar.com/best/best-free-proxies">proxies</a> use AI for scale. This includes hyper-personalized phishing against policymakers and NGOs, automated credential theft and password spraying, in addition to wiper <a href="https://www.techradar.com/best/best-malware-removal">malware</a> hitting factories and hospitals to maximize chaos.</p><p>Such attacks are blurring the lines between “activists” and states. Groups using hacktivist-style names, like Handala, are carrying out destructive data-wiping and data-leaking operations that in reality look and feel like government-backed campaigns. However, whether it’s a lone hacker or a nation-state, the impact on a business is the same. </p><h2 id="what-it-leaders-need-to-know">What IT leaders need to know</h2><p>As the cyberthreat landscape increases in complexity and sophistication amidst ongoing geopolitical conflict, CIOs, CTOs and business leaders in general need to take actionable steps to get prepared: </p><p>Firstly, every business leader should assume that AI-driven tradecraft will be used against their organization, whether or not that business is a direct party to a geopolitical dispute.  Threat <a href="https://www.techradar.com/best/best-bi-tools">intelligence</a> reports show spillover activity across sectors and regions as Iranian and allied groups probe for soft spots in energy, finance, healthcare and aviation networks beyond the conflict zone. </p><p>US medical-device company Stryker has already fallen victim to a state-backed cyberattack. Across the pond, the UK’s National Cyber Security Centre has also urged firms to strengthen their defenses amid the conflict. Therefore, the traditional “we’re not a likely target” thinking is rendered moot and dangerously outdated. </p><p>Secondly, investment in AI should be deliberate rather than reactive, to match attackers’ use of AI. Most leaders are now  investing in AI for threat detection and faster response, while embedding cyber resilience across the business. The Iran conflict is actively demonstrating why this priority shift cannot wait. </p><p>Adversaries are using AI to sift through organizations' complex digital footprints, spotting tiny weaknesses or patterns that can be exploited, which lets them gain access to systems much faster than before. </p><p>On the defensive side, AI is already enriching analyst context. AI is being used to combine signals across <a href="https://www.techradar.com/news/best-domain-registrars">domains</a>, certificates, telemetry and intelligence sources to surface suspicious activity faster and with greater confidence. </p><p>However, clear governance is a must for the wider industry as AI investments only pay off if someone is clearly in charge of them. In practice, this looks like boards actually understanding AI’s trade-offs, having a defined risk appetite and clear cyber metrics that are tied directly to up-time, reputation and regulatory risk rather than just a dashboard of automated alerts. </p><p>Third, the cyber-hygiene basics that AI will amplify need to be fixed and maintained. The Iran crisis has exposed how much damage can be done by exploiting long-standing weaknesses like unpatched remote access, flat networks and factory-set passwords on critical control equipment that were never changed. </p><p>With more than half the CIOs seeing software supply-chain <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> and third-party distribution as high risk, 70% of them are investing in enhanced controls there. Enhanced controls in this context mean tightened due-diligence on vendors and M&A targets. </p><p>They also mean demanding transparency into code provenance and build-pipelines, in addition to using AI-assisted <a href="https://www.techradar.com/best/best-network-monitoring-tools">monitoring</a> to spot anomalies in partner behavior before an incident cascades into an organization's environment. </p><p>Finally, if a nation-scale disruption is to be expected (as it should be), it should be rehearsed for. Iran’s near-total connectivity blackout, combined with attacks on critical infrastructure communications, demonstrates the failure of “business-as-usual” assumptions. CIOs are increasingly planning to work with incident-response specialists and threat intelligence providers. </p><p>However, many still lack mature, tested continuity plans that assume prolonged outages, disinformation and simultaneous incidents across multiple suppliers. In an AI-driven crisis, businesses that have practiced decision-making under pressure, with partial data and automated attacks, will fare better than those still relying on a static playbook. </p><h2 id="final-thoughts">Final thoughts</h2><p>Most organizations around the globe are watching the events in Iran unfold, with defenses designed for a slower, less sophisticated cyber security posture. CIOs and IT leaders are learning in real time that when an attack occurs, there will not be a safe, quiet moment to prepare for it. </p><p>If adversaries are using AI to move faster, hide better and hit harder, businesses need to be equipped with governed AI capabilities, hardened basics and rehearsed crisis plans of their own. </p><p>Anything less falls equivalent to hoping that the tactics being perfected over an active war-zone will never be turned on your own business, which is simply not a strategy.</p><p><em></em><a href="https://www.techradar.com/best/best-patch-management-tools"><em>We've ranked the best patch management software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords': Experts warn that free image editor tool could actually be dangerous malware ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/what-started-as-someone-potentially-trying-to-remove-the-background-from-a-selfie-ended-with-a-custom-net-stealer-rifling-through-their-browser-passwords-experts-warn-that-free-image-editor-tool-could-actually-be-dangerous-malware</link>
                                                                            <description>
                            <![CDATA[ Background removal services are being used in ClickFix attacks, delivering dangerous infostealer malware. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7kqUCv8oGCyRACzhCd2cxi</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 07 May 2026 16:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:description>                                                            <media:text><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:text>
                                <media:title type="plain"><![CDATA[Malware attack virus alert , malicious software infection , cyber security awareness training to protect business]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>A fake photo tool ranked high in search results tricks users into running malware via ClickFix tactics</strong></li><li><strong>Victims first get infected with CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer</strong></li><li><strong>The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise</strong></li></ul><p>A website promising to remove backgrounds from selfie photos is actually just dropping infostealing malware on people’s computers, security researchers are saying.</p><p>Cybersecurity experts at Huntress <a href="https://www.huntress.com/blog/clickfix-castleloader-backgroundfix" target="_blank">outlined</a> how they discovered a website which, through SEO poisoning, managed to work its way to the top of search engine results pages. Therefore, when people search for background removal tools, there is a good chance they’ll land on this particular, malicious site.</p><p>When they upload their photos to this service, it doesn’t really get processed. Nothing gets uploaded or shared in any way. However, the site then requests the user to “verify they’re human” by opening up the Windows Run program and pasting a command that was copied onto their clipboard.</p><h2 id="castleloader-castlestealer-and-netsupport-rat">CastleLoader, CastleStealer, and NetSupport RAT</h2><p>In typical ClickFix fashion, the attackers actually demand the victims to run malware themselves, first infecting their devices with CastleLoader. This is the main loader that is used to deliver additional payloads.</p><p>Through CastleLoader, the miscreants can then deploy stage-two <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a>, including NetSupport RAT, and CastleStealer.</p><p>The former is a remote access trojan (RAT) which grants the attackers remote access to infected systems, while the latter is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files. </p><p>“What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords, crypto wallet vaults, and Telegram session, plus a NetSupport RAT dropped on disk for follow-up access,” Huntress explained. </p><p>ClickFix attacks can be mitigated through education - users should know that no legitimate service will ask users to verify they’re not a bot with on-device activity (such as, running a program locally). Alternatively, admins can disable the Win + R shortcut for Run, making it less likely for the victims to actually run the malicious code.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ North Korean hackers target gamers with trojanized platform - here's what to look out for ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/north-korean-hackers-target-gamers-with-trojanized-platform-heres-what-to-look-out-for</link>
                                                                            <description>
                            <![CDATA[ Popular game platform was compromised and used to deliver backdoors. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">H4d5VL85gNfqkdKWGBice9</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 06 May 2026 22:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg">
                                                            <media:credit><![CDATA[wk1003mike / Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Trojan]]></media:description>                                                            <media:text><![CDATA[Trojan]]></media:text>
                                <media:title type="plain"><![CDATA[Trojan]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>North Korean APT37 (ScarCruft) gang compromised a Yanbian gaming platform to deliver the BirdCall backdoor</strong></li><li><strong>On Windows, it enabled data theft and command execution; on Android, it exfiltrated contacts, messages, media, and ambient audio</strong></li><li><strong>The malware is actively maintained, with Android versions still hosted, targeting ethnic Koreans and defectors in China</strong></li></ul><p>North Korean state-sponsored threat actors are apparently targeting their compatriots living in (or moving through) China with advanced Android backdoors across gaming platforms. </p><p>A <a href="https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/" target="_blank" rel="nofollow">report</a> from security researchers ESET claims to have seen an advanced supply-chain attack that probably began in late 2024. The threat actors, most likely ScarCruft (also known as APT37, or Reaper), managed to compromise SQgame, a multi-platform gaming service built specifically for the people of Yanbian.</p><p>The Yanbian Korean Autonomous Prefecture is an autonomous prefecture in China’s Jilin Province. It is located near the border with North Korea and Russia, and was established to give administrative autonomy to the large population of ethnic Koreans living there. According to ESET, Yanbian is also a key crossing point for North Korean refugees and defectors, which could be one of the reasons why it’s being targeted.</p><h2 id="birdcall-malware">BirdCall malware</h2><p>"In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor," ESET said. </p><p>The backdoor is called BirdCall and, depending on the platform it is installed on, can do different things. On Windows, it can grab screenshots, log keystrokes, steal the contents of the clipboard, execute shell commands, and exfiltrate data. All of the stolen info is then uploaded to legitimate cloud services such as Dropbox or pCloud. </p><p>On Android, things are a bit different, allowing ScarCruft to also exfiltrate contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio. So far, the <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> was updated seven times, leading researchers to believe it is being actively maintained. </p><p>ESET says that the platform is still hosting malicious games. However, these seem to be limited to the Android platform. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI agents now commit and conceal cybercrimes on their own ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/ai-agents-now-commit-and-conceal-cybercrimes-on-their-own</link>
                                                                            <description>
                            <![CDATA[ Autonomous AI fraud agents steal massive data, hiding their tracks beyond human attribution ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iZ9nkMPc9pEXb6XuHD4zb</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 06 May 2026 13:44:13 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Terence Kwok ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg">
                                                            <media:credit><![CDATA[Thapana Onphalai via Getty Images]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Autonomous AI fraud agents steal massive data, hiding their tracks beyond human attribution.]]></media:description>                                                            <media:text><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:text>
                                <media:title type="plain"><![CDATA[Hands on a laptop with overlaid logos representing network security]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pVCXKrhThqmUjYVSZBjV5Z-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>For several years now, AI has been showing up in fraud as an accelerant. It drafted phishing emails, polished social engineering scripts, helped attackers move faster. The human operator still sat close to every meaningful step.</p><p>But that distance is shrinking really fast. In September 2025, Anthropic’s Claude Code was used in a cyber-espionage campaign when AI handled 80 to 90% of tactical operations across roughly 30 targets. </p><p>A few months later, reporting on the Mexican government breach described a jailbroken Claude Code setup that Gambit Security said stole more than 150GB of data and exposed roughly 195 million identities.</p><p>That’s the real break with the past. Now we are not looking at AI as a helper inside a criminal workflow, but as confronting systems that can carry out large parts of the workflow by themselves.</p><h2 id="cybercrime-has-changed-its-shape">Cybercrime has changed its shape</h2><p>Once an agent has tools, context, and permission, cybercrime seems to look like an always-on operation. It can recon targets, write exploits, harvest credentials, move laterally, and package stolen data at machine speed. </p><p>It matters because those capabilities are now part of the real threat environment. Attacks by AI-enabled adversaries rose 89% year over year, and autonomous AI adoption is climbing despite <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> concerns. </p><p>We’re witnessing a setting for the next fraud wave: agents enter mainstream systems at the same moment attackers learn how to weaponize them.</p><p>Fraud loves scale, repetition, and weak supervision. Agentic systems bring all three. They do not get tired and do not forget the playbook. They can be pointed at thousands of tiny decisions that add up to huge losses.</p><h2 id="attribution-is-starting-to-fail">Attribution is starting to fail</h2><p>Traditional attribution leans on familiar clues. Investigators compare IP paths, <a href="https://www.techradar.com/best/best-malware-removal">malware</a> families, domains, infrastructure, and other indicators of compromise — even though the field has long known that proxies, false flags, and shared tooling can blur that picture.</p><p>Agentic AI makes the problem worse because the operational exhaust isn’t tied neatly to a single human hand anymore. The model can generate fresh code, adapt the sequence of actions, or distribute work across tools and sessions. In the Mexico case spotlight, there was an unidentified attacker who was aided by <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a>, and this kind of ambiguity should worry every defender.</p><p>So, the point is not that humans disappear, but responsibility gets smeared across prompts, models, tools, delegated permissions, and machine-generated actions. And that weakens the old comfort that attribution will eventually catch up. The forensic trail now contains a non-human operator making consequential moves inside the attack chain.</p><h2 id="identity-has-to-travel-with-the-agent">Identity has to travel with the agent</h2><p>Every meaningful AI action should carry a verifiable cryptographic identity. Once an AI agent is able to act inside a system, those actions should not be anonymous. Each one should be signed, linked to a verifiable identity, and captured in a trustworthy audit trail. Without that, we are asking security teams to govern autonomous behavior that leaves no reliable proof of authorship.</p><p>The idea isn't fringe, and it's here. NIST launched an AI Agent Standards Initiative in February. Its concept paper explicitly calls for identifying agents, linking user identities to delegated actions, logging agent activity, and tracking the provenance of prompts and data inputs.</p><p>Now, this is the market already telling us why this matters – 68% of organizations cannot clearly distinguish AI agent activity from human activity, even as 73% expect agents to become vital within a year. And it’s not a minor governance gap, it’s a direct liability in any environment where fraud, abuse, or data theft can be carried out through an agent.</p><h2 id="the-hard-part-is-not-cryptography-but-governance">The hard part is not cryptography, but governance</h2><p>We already know how to sign and verify digital artifacts. Provenance, integrity, and identity-bound signatures can be made usable at scale. The missing move is extending that discipline from models and software artifacts to the actions agents take after deployment.</p><p>That won’t be simple. Standards have to work across model labs, enterprise stacks, <a href="https://www.techradar.com/best/best-open-source-software">open-source</a> tooling, API gateways, agent protocols. <a href="https://www.techradar.com/best/best-privacy-apps-for-android">Privacy</a> questions are real, too, because auditability cannot become a back door for blanket surveillance.</p><p>Still, those are design problems, and not excuses for anonymity. I believe what’s missing is an identity verification layer that lets people, institutions, and eventually AI agents prove who they are, what they’re allowed to do, and which credentials can be trusted, without exposing the raw data underneath. Built well, that kind of system gives trust a cryptographic form. It can move across platforms, survive handoffs between systems, and hold up under scrutiny.</p><p>Fraud spreads wherever <a href="https://www.techradar.com/best/best-identity-management-software">identity management </a>is flimsy, and provenance breaks down. If access, eligibility, and high-risk actions are tied to verifiable credentials, it becomes much harder for a <a href="https://www.techradar.com/pro/best-ai-chatbot-for-business">bot</a>, a synthetic identity, or an autonomous agent to pass through systems on empty claims. The action carries history with it. The trust signal does too.</p><p>AI fraud has crossed a threshold. When an agent can scout, decide, execute, and document the operation, anonymity becomes a structural weakness instead of convenience.</p><p>We need a security model that does more than log what happened after the fact. We need one that can prove who stood behind an action, who delegated it, and whether that identity can be trusted in the first place. In a world of autonomous agents, that is not a nice safeguard now, but the baseline for keeping fraud governable.</p><p><em></em><a href="https://www.techradar.com/best/best-identity-theft-protection"><em>We've ranked the best Identity Theft Protection</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ How AI's evolution is redefining risks ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/how-ais-evolution-is-redefining-risks</link>
                                                                            <description>
                            <![CDATA[ Industrialized cybercrime means AI has moved from a double-edged to a triple-edged sword. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dhC2aUgfNgBPPhievWX223</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ywSwn3oGxXv4PfcRPZmTrc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 06 May 2026 10:27:07 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Richard Lindsay ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ywSwn3oGxXv4PfcRPZmTrc-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock/TippaPatt]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[ Man coding programmer, software developer working on digital tablet with binary, html computer code on virtual screen]]></media:description>                                                            <media:text><![CDATA[ Man coding programmer, software developer working on digital tablet with binary, html computer code on virtual screen]]></media:text>
                                <media:title type="plain"><![CDATA[ Man coding programmer, software developer working on digital tablet with binary, html computer code on virtual screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ywSwn3oGxXv4PfcRPZmTrc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> have long been a double-edged sword, used by attackers and defenders alike. </p><p>However, it has recently shown its third edge; as it becomes increasingly embedded within organizations as a tool, it is now also an attack surface which cybercriminals will look to exploit, and which organizations must strive to protect.</p><p>At first glance, it may appear that this has tipped the AI scales in favor of attackers. AI has industrialized the cybercrime landscape, boosting the efficiency of attacks, as well as enabling them to be scaled up. </p><p>And now, it is no longer just a weapon but a new attack vector.  However, this same efficiency can be used to help power defenses against cyberattacks, helping to protect organizations.</p><h2 id="a-new-frontier-of-ai-enhanced-attacks">A new frontier of AI-enhanced attacks</h2><p>While AI offers immense potential for innovation, it has also been adopted as a powerful tool by cybercriminals to execute more sophisticated attacks. Threat actors like Storm-0817, for instance, actively use AI to assist in <a href="https://www.techradar.com/best/best-malware-removal">malware</a> development and social media scraping. </p><p>Groups like the Black Basta collective have also used AI to craft emails in multiple languages, thereby expanding their global reach. OpenAI recently disrupted dozens of malicious operations that were misusing its models for malware creation, phishing, and disinformation. </p><p>While most cybercriminal groups still seem to be using AI as more of an assistive tool at this stage, a future of fully automated cyber attacks is growing increasingly possible. </p><p>In November of last year, Anthropic disrupted the first reported AI-orchestrated cyber espionage campaign, during which its agentic AI tool Claude Code was manipulated to conduct automated reconnaissance and intrusion attempts against global targets. </p><p>It is highly likely that we will see more attacks like this in the coming months, as attackers gain skill and confidence in using AI. </p><h2 id="two-edges-becomes-three">Two edges becomes three</h2><p>The third edge represents a shift in AI, away from being just a weapon or a shield and instead becoming a handle which attackers can use to steer an organization's own <a href="https://www.techradar.com/best/best-infrastructure-management-service">IT infrastructure</a> against itself, whether through attackers exploiting plugins used to connect AI tools to enterprise data, or via ‘hijacking’ an AI assistant. As agentic AI becomes increasingly the norm, we will see this more and more. </p><p>This can be seen in the 2025 compromise of the “Drift” AI module linked to Salesloft, which resulted in the theft of Salesforce data from several hundred organizations, including multiple security vendors. </p><p>Another example is the recent “EchoLeak” campaign against Microsoft 365 Copilot, which revealed how a carefully crafted email could deliver malicious instructions to an embedded AI assistant, leading to silent data exfiltration. </p><p>Finally, this third edge to AI has also been sharpened by the growing problem of Shadow AI, where employees use unauthorized AI tools, creating a ‘leaky bucket’ where sensitive corporate <a href="https://www.techradar.com/best/best-product-information-management-software">information</a> is sometimes fed into public models. </p><h2 id="ai-s-neutrality-defense-vs-offense">AI’s neutrality: defense vs offense</h2><p>Crucially, organizations must not shy away from AI simply because it is an attack vector. AI as a technology offers significant efficiency benefits to organizations across sectors, and so the answer isn’t to avoid it but to protect AI tools and systems properly. </p><p>The best way to balance AI risk with optimized business potential is to take a <a href="https://www.techradar.com/news/best-internet-security-suites">security</a>-first and human-centric approach. That means putting people in control while using AI to support decision-making. This ‘Secure AI’ approach encompasses a system that is transparent, explainable, and aligned with regulations to meet unique needs and IT company ambitions.</p><p>The silver lining is AI’s own neutrality; the very same algorithms that power sophisticated cyber attacks can also be used to support modern defense systems. For instance, AI can streamline threat detection, incident response, and risk management. </p><p>Where traditional detection methods fall short in <a href="https://www.techradar.com/best/best-online-cyber-security-courses">cybersecurity</a>, defensive AI can assist in identifying ‘beaconing’ behavior through pattern recognition. Anomalies are raised to security teams through real-time notifications, enabling prompt investigation alongside required action. </p><p>Overall, this supports teams with more routine elements of system security, including the <a href="https://www.techradar.com/pro/best-it-documentation-tool">documentation</a> of security intelligence, event information, and analysing potentially harmful emails alongside malicious files. </p><p>Machine learning can also be used in autonomous threat detection and response programs.</p><h2 id="the-myth-of-the-golden-ticket">The myth of the golden ticket</h2><p>The intention of the user largely dictates the risk-reward ratio. AI, like any tool, is prone to misuse and can be poisoned or hijacked, which means it isn’t a ‘golden ticket’ in cybersecurity. </p><p>Defenders who protect systems must not only understand and be trained on the testing of AI systems and their security, but also be in decision-making positions to execute what AI cannot adequately do. </p><p>In an era of industrialized cybercrime, success won’t be found in the AI buzz but in how well we blunt the third edge before it is turned against us.</p><p><em></em><a href="https://www.techradar.com/best/best-antivirus"><em>We've reviewed the best Antivirus Software</em></a><em>.</em></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New 'Firestarter' malware flames on in spite of Cisco firewall updates and security patches ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/new-firestarter-malware-flames-on-in-spite-of-cisco-firewall-updates-and-security-patches</link>
                                                                            <description>
                            <![CDATA[ Security pros are warning about custom malware targeting Cisco firewalls, and surviving upgrades and reboots. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">GFVU9UKJ6kvfarh3Nps8a7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/kCbP2VkzMgQpYqJDgMQ8UZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 27 Apr 2026 15:25:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/kCbP2VkzMgQpYqJDgMQ8UZ-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cybersecurity]]></media:description>                                                            <media:text><![CDATA[Cybersecurity]]></media:text>
                                <media:title type="plain"><![CDATA[Cybersecurity]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/kCbP2VkzMgQpYqJDgMQ8UZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Cisco Talos warns of Firestarter, a new malware targeting unpatched Firepower and Secure Firewall device</strong></li><li><strong>UAT‑4356 group exploited flaws CVE‑2025‑20333 and CVE‑2025‑20362 to deploy Line Viper before dropping Firestarter</strong></li><li><strong>CISA confirmed exploitation against at least one federal agency</strong></li></ul><p>Security researchers have warned of Firestarter, a brand new custom-built malware which targets unpatched Cisco Firepower and Secure Firewall devices, persisting over reboots, security patches, and even firmware updates.</p><p>Experts from Cisco Talos flagged Firestarter only works on devices running Adaptive Security Appliance (ASA), or Firepower Threat Defense (FTD) software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now.</p><p>In mid-2024, <a href="https://www.techradar.com/pro/security/cisco-reveals-zero-day-attacks-used-by-hackers-to-attack-government-networks-in-major-threat-campaign" target="_blank">Cisco said</a> that sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and <a href="https://www.techradar.com/best/firewall" target="_blank">firewalls</a> to drop malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359.</p><h2 id="confirming-the-breach">Confirming the breach</h2><p>This time around, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before dropping Firestarter.</p><p>Line Viber was said to be able to run CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed device restart. </p><p>For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the window of time between the patch being released, and being deployed on the devices: </p><p>“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” <a href="https://www.cisa.gov/news-events/analysis-reports/ar26-113a" target="_blank">CISA said </a>in its security advisory. </p><p>By tweaking the startup mount list, the malware makes sure it persists even after reboots.</p><p>Those running Firepower and Secure Firewall, and looking for mitigations and workarounds, should read Cisco’s security advisory <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Continued%20Evolution%20of%20Persistence%20Mechanism%20Against%20Cisco%20Secure%20Firewall%20Adaptive%20Security%20Appliance%20and%20Secure%20Firewall%20Threat%20Defense%26vs_k=1" target="_blank">here</a>. The company said it “strongly recommends” reimaging and upgrading the device using the fixed releases.</p><p><em>Via </em><a href="https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html" target="_blank"><em>The Hacker News</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 'An interesting evolution in tactics': Google security experts flag new cyber scam which abuses Microsoft Teams to steal your data ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/security/an-interesting-evolution-in-tactics-google-security-experts-flag-new-cyber-scam-which-abuses-microsoft-teams-to-steal-your-data</link>
                                                                            <description>
                            <![CDATA[ Hackers first create a problem then try to "solve it" by pretending to be IT helpdesk. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">hr4qhEocfrtDqjQ2MLZ8Pf</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UNBhCvCBZ47GpjzV7AN5mG-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 27 Apr 2026 10:39:10 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UNBhCvCBZ47GpjzV7AN5mG-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[(Image credit: Shutterstock)]]></media:description>                                                            <media:text><![CDATA[Security]]></media:text>
                                <media:title type="plain"><![CDATA[Security]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UNBhCvCBZ47GpjzV7AN5mG-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <ul><li><strong>Google identifies new threat group, UNC6692, using spam floods and fake IT support messages via Microsoft Teams to trick victims</strong></li><li><strong>Targets were lured to a landing page that harvested credentials and deployed a three‑part malware framework themed around snow</strong></li><li><strong>The toolkit includes a persistence‑focused browser extension, a tunneling tool for data exfiltration, and a backdoor enabling full endpoint takeover</strong></li></ul><p>Google has sounded the alarm on a previously undocumented threat actor group that uses cheeky social engineering tactics to deploy a trilogy of malware.</p><p>In an in-depth <a href="https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware" target="_blank">report</a> Google said it saw UNC6692 - seemingly a new collective - bombard target email inboxes with countless spam messages in a short timeframe. </p><p>Soon after, they would reach out to the owner of that inbox via Microsoft Teams, through the cross-tenant feature, and introduce themselves as IT/helpdesk officials. They would say they were tasked with fixing the spam issue and would share a link to a landing page where the alleged fix can be found.</p><h2 id="the-snow-framework">The 'snow' framework</h2><p>Victims who follow the link are first asked to do a “health check” by clicking a button on the page which prompts the user to authenticate using their email and password which are then siphoned to the attackers’ servers. </p><p>Google also noticed the login attempt never works on the first try - which is a deliberate attempt to increase perceived legitimacy and make sure victims don’t share a fake or typo’d password.</p><p>After “logging in”, the page then performs an “email integrity check”, which is just a cover for what goes on in the background - the deployment of a <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">malware</a> framework consisting of three elements. </p><p>"By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," Google said in the report.</p><p>The framework is themed around snow, and contains three tools: SnowBelt, SnowGlaze, and SnowBasin. </p><p>The first is a Chromium-based extension that establishes persistence via the browser’s extension registration system. The extensions are often named “MS Heartbeat” or “System Heatbeat”. </p><p>The second is a tunneler that creates an authenticated WebSocket tunnel, enabling easy communication and possible data extraction. The third one is a backdoor that allows full endpoint takeover.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Shadow AI and agents like OpenClaw are hijacking corporate data too easily ]]></title>
                                                                                                                                                                                                <link>https://www.techradar.com/pro/shadow-ai-and-agents-like-openclaw-are-hijacking-corporate-data-too-easily</link>
                                                                            <description>
                            <![CDATA[ Discover how Shadow AI agents are quietly bypassing traditional defenses. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">b3PmYEyEXY7Aj9rgn2EP2o</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 27 Apr 2026 10:10:49 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Pro]]></category>
                                                                                                                    <dc:creator><![CDATA[ Si West ]]></dc:creator>                                                                                                        <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:description>                                                            <media:text><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:text>
                                <media:title type="plain"><![CDATA[A pink triangle with a red exclamation mark inside on a blue digital landscape]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>According to UpGuard’s late-2025 report, nearly 90 percent of <a href="https://www.techradar.com/news/best-internet-security-suites">security</a> professionals use unapproved <a href="https://www.techradar.com/best/best-ai-tools">AI tools</a> at work. The people responsible for enforcing security policy are, by their own admission, ignoring it. More than 80 percent of workers across all roles use unsanctioned AI, and executives are the most prolific offenders.</p><p>We’ve been here before. A decade ago, the fight was over shadow IT — personal Dropbox accounts, unapproved SaaS apps, data flowing through tools that never passed a security review. Most organizations eventually got that under control with CASBs, discovery tooling, and better-sanctioned alternatives.</p><p>But those playbooks assumed the tools were dumb pipes: they moved and stored data, and the fix was visibility into where it went. Shadow AI doesn’t work that way, because AI tools don’t just store your data — they process it, and in some cases retain it.</p><p>When someone pastes a customer list into a free-tier chatbot or feeds proprietary code into an <a href="https://www.techradar.com/computing/artificial-intelligence/best-llms">LLM</a> to debug it faster, that data enters a system the organization has no control over. There’s no audit trail, and often nobody knows it happened. </p><p>On the compliance side, that creates exposure that compounds the longer it goes unaddressed: no data processing agreement, no documented retention policy, and no ability to respond to a GDPR subject access request or demonstrate to auditors that sensitive data stayed within regulatory boundaries.</p><p>The costs of Shadow AI are measurable. Recent Netwrix research indicates that organizations with high levels of unsanctioned AI usage experience data breach costs that are, on average, $670,000 higher than those with lower usage.</p><p>And banning AI doesn’t fix it — Software AG found that 46 percent of <a href="https://www.techradar.com/pro/best-employee-management-software-of-year">employees</a> would keep using unapproved tools even after an explicit ban. Prohibition just pushes the behavior underground.</p><p>There’s another cost that doesn’t show up in breach reports. When employees rely on unapproved models for analysis, drafting, or code generation, nobody is validating what comes back. Hallucinated data points end up in executive briefings.</p><p>Flawed code ships to production because the model that wrote it was never vetted against the organization's standards. Legal teams draft language using tools that nobody in compliance has reviewed.</p><p>The accuracy of the organization's own outputs erodes over time — and because the tools are unapproved, the teams using them have built workflows the business can’t see, can’t audit, and can’t replace if the tool changes its terms or gets cut off tomorrow.</p><h2 id="from-chatbots-to-autonomous-agents">From chatbots to autonomous agents</h2><p>Everything above describes employees using AI as a tool — typing a prompt, getting a response, pasting it somewhere. The next wave is different. Agentic AI systems don’t wait for prompts. They take actions: reading <a href="https://www.techradar.com/best/best-secure-email-providers">email</a>, executing code, accessing files, chaining tasks together, all running with the user’s own permissions.</p><p>OpenClaw, the open-source AI agent that racked up 145,000 GitHub stars in weeks, shows where this is heading. As a productivity tool, it’s impressive. As an attack surface, it’s what Cisco called a security nightmare.</p><p>When Cisco’s AI security research team tested the top-ranked community extension on OpenClaw’s skill repository, they found it was functionally <a href="https://www.techradar.com/best/best-malware-removal">malware</a>: it silently sent data to an attacker-controlled server via embedded shell commands while using prompt injection to bypass the agent’s safety guidelines.</p><p>That skill had been downloaded thousands of times. It was one of at least 230 malicious extensions uploaded to the repository within weeks of OpenClaw going viral. Kaspersky found 512 vulnerabilities in a single audit, eight of them critical. China banned it from government systems.</p><p>OpenClaw is one platform, but the pattern — broad system access, community-sourced plugins, weak default security — is the direction the whole category is moving. Gartner predicts 40 percent of enterprise applications will feature task-specific AI agents by the end of this year, up from under five percent in 2025.</p><p>These agents break the assumptions most security tooling is built on. An agent sending an email looks identical to the legitimate user. EDR sees normal traffic.</p><p>There’s no malicious binary to flag. And because agents process external content — emails, web pages, <a href="https://www.techradar.com/best/best-document-management-software">documents</a>, images — adversaries can embed instructions in that content and hijack the agent’s behavior without any human clicking anything. </p><p>Researchers have already demonstrated a single poisoned email causing an agent to hand over private keys from the host machine.</p><h2 id="what-actually-works">What actually works</h2><p>Blanket bans fail. That much is obvious from the <a href="https://www.techradar.com/best/best-data-recovery-service">data</a>. What works is giving people something better to use. One healthcare system that replaced its AI ban with approved tools saw unauthorized use fall 89 percent.</p><p>People reach for shadow AI because it solves real problems faster than whatever IT has sanctioned. Close that gap and most of the risky behavior goes away on its own.</p><p>Beyond that, treat AI interactions like data transfers. Apply DLP policies to prompts. Classify what should never enter an external model.</p><p>Build visibility into what tools employees are actually using — BlackFog’s research suggests 99 percent of organizations currently have no way of measuring shadow AI activity in their environments.</p><p>For agentic AI, the bar has to be higher. Autonomous tools need sandboxing, least-privilege access, and proper vetting of every extension before deployment.</p><p>Security teams need monitoring built for AI-native threats — prompt injection, supply chain compromise through malicious skills, credential leakage through agent memory — because legacy endpoint tools weren’t built to catch any of this.</p><p>None of this works as a policing exercise, though. Governance has to feel like a service to employees, not a constraint imposed on them. The organizations that figure this out will be in a strong position. The ones still pretending it’s not their problem are already behind — their data has been leaving the building, one prompt at a time, for months.</p><p><em></em><a href="https://www.techradar.com/best/best-online-cyber-security-courses"><em>We've featured the best online cybersecurity course.</em></a></p><p><em>This article was produced as part of </em><a href="https://www.techradar.com/pro/perspectives" target="_blank"><em>TechRadar Pro Perspectives</em></a><em>, our channel to feature the best and brightest minds in the technology industry today.</em></p><p><em>The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: </em><a href="https://www.techradar.com/news/submit-your-story-to-techradar-pro" target="_blank"><em>https://www.techradar.com/pro/perspectives-how-to-submit</em></a></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>