seclists.org
From: Simon Josefsson <simon () josefsson org>
Date: Tue, 20 Jan 2026 15:00:07 +0100
If you are tired of modern age vulnerabilities, and remember the good
old times on bugtraq, I hope you will appreciate this one. If someone
can allocated a CVE, we will add it in future release notes.
/Simon
The telnetd server invokes /usr/bin/login (normally running as root)
passing the value of the USER environment variable received from the
client as the last parameter.
If the client supply a carefully crafted USER environment value being
the string "-f root", and passes the telnet(1) -a or --login parameter
to send this USER environment to the server, the client will be
automatically logged in as root bypassing normal authentication
processes.
This happens because the telnetd server do not sanitize the USER
environment variable before passing it on to login(1), and login(1)
uses the -f parameter to by-pass normal authentication.
Severity: High
Vulnerable versions: GNU InetUtils since version 1.9.3 up to and
including version 2.7.
On a Trisquel GNU/Linux 11 aramo laptop:
root@kaka:~ sudo apt-get install inetutils-telnetd telnet
root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf
root@kaka:~ sudo /etc/init.d/inetutils-inetd start
root@kaka:~ USER='-f root' telnet -a localhost
...
root@kaka:~#
The bug was introduced in the following commit made on 2015 March 19:
https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87
Based on mailing list discussions:
https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html
https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html
It was included in the v1.9.3 release made on 2015 May 12.
Do not run a telnetd server at all. Restrict network access to the
telnet port to trusted clients.
Apply the patch or upgrade to a newer release which incorporate the
patch.
Disable telnetd server or make the InetUtils telnetd use a custom
login(1) tool that does not permit use of the '-f' parameter.
The template for invoking login(1) is in telnetd/telnetd.c:
/* Template command line for invoking login program. */
char *login_invocation =
#ifdef SOLARIS10
/* TODO: `-s telnet' or `-s ktelnet'.
* `-u' takes the Kerberos principal name
* of the authenticating, remote user.
*/
PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}"
#elif defined SOLARIS
/* At least for SunOS 5.8. */
PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}"
#else /* !SOLARIS */
PATH_LOGIN " -p -h %h %?u{-f %u}{%U}"
#endif
;The variable expansion happens in telnetd/utility.c:
/* Expand a variable referenced by its short one-symbol name.
Input: exp->cp points to the variable name.
FIXME: not implemented */
char *
_var_short_name (struct line_expander *exp)
{
char *q;
char timebuf[64];
time_t t;
switch (*exp->cp++)
{
case 'a':
#ifdef AUTHENTICATION
if (auth_level >= 0 && autologin == AUTH_VALID)
return xstrdup ("ok");
#endif
return NULL;
case 'd':
time (&t);
strftime (timebuf, sizeof (timebuf),
"%l:%M%p on %A, %d %B %Y", localtime (&t));
return xstrdup (timebuf);
case 'h':
return xstrdup (remote_hostname);
case 'l':
return xstrdup (local_hostname);
case 'L':
return xstrdup (line);
case 't':
q = strchr (line + 1, '/');
if (q)
q++;
else
q = line;
return xstrdup (q);
case 'T':
return terminaltype ? xstrdup (terminaltype) : NULL;
case 'u':
return user_name ? xstrdup (user_name) : NULL;
case 'U':
return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
default:
exp->state = EXP_STATE_ERROR;
return NULL;
}
}Thus there is potential for similar vulnerabilities for other
variables.
On non-GNU/Linux systems, only the remote hostname field is of
interest. The remote_hostname variable is populated in the function
telnetd_setup from telnetd/telnetd.c by calling getnameinfo() or
gethostbyaddr() depending on platform. This API is generally not
considered to return trusted data, thus relying on it to not return a
value such as 'foo -f root' is not advisable.
We chose to sanitize all variables for expansion. The following two
patches are what we suggest:
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc
This vulnerability was found and reported by Kyu Neushwaistein aka
Carlos Cortes Alvarez on 2026-01-19.
Initial patch by Paul Eggert on 2026-01-20. Simon Josefsson improved
the patch to also cover similar concerns with other expansions.
This advisory was drafted by Simon Josefsson on 2026-01-20.
bleepingcomputer.com
By Sergiu Gatlan
January 21, 2026 12:49 PM
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.
One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.
Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.
"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.
The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.
"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.
BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.
Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.
To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:
config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.
However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.
CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.
Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.
cybernews.com/
Vilius Petkauskas
Deputy Editor
Luxshare, one of Apple’s key partners in assembling iPhones, AirPods, Apple Watches, and Vision Pro, allegedly suffered a data breach, orchestrated by a ransomware cartel. The attackers are threatening to leak data from Apple, Nvidia, and LG unless the company pays a ransom.
Key takeaways:
Luxshare, Apple's key iPhone assembler, allegedly suffered a ransomware attack threatening confidential product data leaks from multiple tech giants.
RansomHub attackers claim access to 3D CAD models, circuit board designs, and engineering documentation from Apple and Nvidia products.
Cybernews researchers claim leaked data includes confidential Apple-Luxshare repair projects, employee PII, and product design files from 2019-2025.
The breach could enable competitors to reverse-engineer products, manufacture counterfeits, and exploit hardware vulnerabilities in Apple devices.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Luxshare data breach allegedly occurred last month, with attackers claiming December 15th, 2025, as the date Apple key partners’ data was encrypted. The alleged attackers, RansomHub, announced the Luxshare data breach on their dark web forum.
Luxshare is an essential partner to the American giant. Many Apple products, including iPhone, AirPods, Apple Watch are assembled at Luxshare, which means the company has very intimate information about Apple’s products.
The conversation on this topic is live. Join in the discussion.
“We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company. We strongly recommend that you contact us to prevent your confidential data and project documents from being leaked,” the attackers claim.
We have reached out to the company and will update the article once we receive a reply. We have also reached out to Apple and will add its response as soon as we receive it.
Luxshare data breach claims on the dark web
Attakers' post announcing Luxshare data breach. Image by Cybernews.
What data did the Luxshare data breach expose?
The Cybernews research team investigated the data sample that the attackers attached to the post.
According to our team, the leaked data includes details on what appear to be confidential projects regarding device repair and shipping between Apple and Luxshare, including timelines, detailed processes, and information about other Luxshare clients.
Moreover, the leaked information appears to include personal identifiable information (PII) of individuals working on specific projects, with their full names, job positions and work emails exposed.
Luxshare data breach projects
Alleged information on Apple and Luxshare projects. Image by Cybernews.
“Dates of these projects range from 2019 to 2025 and the information appears to expose sensitive business operations. Additionally, .dwg and gerber files, which are often used to create product model designs, are also included,” the team explained.
While Apple’s assembler data breach is still unconfirmed, the team believes that the information included in the post appears to be legitimate.
Luxshare data breach team info
Alleged information about Luxshare staff working on Apple projects. Image by Cybernews.
What do the Luxshare attackers say?
The RansomHub attackers claim to have wide access to confidential Luxshare client data. The stolen data supposedly ranges from 3D product models to circuit board design data, information that’s highly coveted by corporate spies.
According to the attackers, they have accessed archives that contain:
Confidential 3D CAD product models, 3D engineering design data, 3D engineering documentation
Access to high-precision geometric data for Parasolid products
2D component drawings for manufacturing
Mechanical component drawings
Confidential engineering drawings in PDF format
Electronic design documentation
Electrical and layout architecture data
Printed circuit board manufacturing data
“The archives contain data from Apple, Nvidia, as well as LG, Geely, Tesla, and other large companies whose production and R&D information is publicly available. Protected by a non-disclosure agreement,” the attackers claim.
If confirmed, the attack could be disastrous for Luxshare and its partners. For one, attackers could sell the data to competitors who could utilize the stolen details to reverse-engineer products, bypass years of R&D, and manufacture counterfeits.
The cybersecurity implications are also extreme as attackers could clearly uncover hardware vulnerabilities, chip locations, and power systems, which would be beneficial to target firmware or carry out supply chain attacks.
China-based Luxshare is a behemoth in the electronics manufacturing industry. Based in the country’s tech heart, Shenzhen, the company employs over 230,000 people and reports revenues of over $37 billion.
According to reporting by the Wall Street Journal, Luxshare’s importance to Apple’s supply chain ballooned after its main assembler, Foxconn, went through a series of production halting protests.
Who are the Luxshare attackers?
First spotted in 2024, RansomHub is a well established actor in the ransomware scene. For example, the gang proved itself to be one of the most active ransomware gangs of the past couple of years.
According to security experts, RansomHub is among the most prolific ransomware-as-a-service (RaaS) operations, emerging after ALPHV (BlackCat) disappeared. It primarily targets industrial manufacturing and healthcare.
RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.
According to a CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.
Updated on January 19th [01:30 p.m. GMT] with a insights from the Cybernews research team.
ynetnews.com
Lior Ben Ari, News Agencies|01.19.26 | 02:22
Messages against the regime, documentary footage of protests, and speeches by Crown Prince Reza Pahlavi are seen on the screens of Iranian channels received via satellite; 'Message to the Iranian army and security forces: Do not turn your weapons on the people'
ran’s opposition television channel Iran International reported Sunday evening that satellite broadcasts of several Iranian state TV channels were hijacked, with anti–ayatollah regime protest messages and statements by Crown Prince Reza Pahlavi aired for several minutes. Pahlavi, the exiled son of the shah ousted in the 1979 Islamic Revolution, has in recent weeks sought to position himself as a leader of the protests aimed at toppling the regime.
According to Iran International, the messages were seen by viewers watching Iranian state channels via the Badr satellite. During the brief takeover, videos and images documenting protests against the regime appeared on screen, alongside a call by Prince Reza Pahlavi urging the Iranian people to join the demonstrations and appealing to the armed forces to side with the protesters. The opposition outlet noted that Iran’s state broadcasting authority relies on the Badr satellite to transmit a number of regional channels nationwide.
Videos circulating on social media showed on-screen messages such as: “People of Iran, continue your struggle. Freedom is closer than ever,” as well as “Europe is with you!” and “Prince Reza Pahlavi is our voice, he is mobilizing global support for us.” For several seconds, another message flashed repeatedly: “This is a message to the Iranian army and security forces: Do not turn your weapons on the people. Join the nation for Iran’s freedom!” A photograph of Iranian President Masoud Pezeshkian later appeared, alongside a written appeal addressed to him: “Mr. Pezeshkian, the moment of truth has arrived. Do you stand with those spreading lies about ‘mercenaries,’ ‘Mossad agents’ and similar nonsense?”
The satellite broadcast hack came as the Islamic Republic remains largely cut off from the outside world, a week and a half after authorities shut down internet access. NetBlocks, an organization that monitors internet traffic and cybersecurity, reported that Iran briefly saw an uptick in connectivity earlier Sunday after usage had hovered at about 1% of normal levels over the past week, before dropping again later in the day. According to NetBlocks, there was a sudden spike in access to Google and certain messaging services from inside Iran, allowing a small number of Iranians to relay detailed information about the severity of conditions on the ground. That window was short-lived, however, as internet traffic soon plunged again.
Iran’s authorities cut internet access on January 8, the day protests against the regime escalated into mass demonstrations and, according to reports, the deadliest day of clashes with security forces. Earlier Sunday, Pezeshkian said that, given the need to ease online business activity and reduce communications restrictions, he had recommended that the secretary of the Supreme National Security Council remove internet limitations as soon as possible, though he did not specify when this would happen.
Journalists with Agence France-Presse in Tehran reported Sunday that they were briefly able to connect to the global internet in the morning, even as major internet service providers remained blocked. Some Iranians were able to send and receive WhatsApp messages for the first time in days. International phone calls to and from Iran, which were blocked last week, were restored on Tuesday, and SMS services resumed on Saturday.
Despite the severe restrictions on internet access and Iran’s longstanding bans on certain apps—including Instagram and Facebook, which require VPNs to access—reports of atrocities committed by security forces against protesters have nonetheless leaked out in recent days, mainly via users connected to Elon Musk’s Starlink satellite internet service.
Earlier Sunday, Iran’s semi-official Fars news agency reported that the CEO of Irancell, the country’s second-largest mobile operator, had been dismissed after failing to comply with a government order to shut down the internet. Iranian state television reported that schools and universities reopened Sunday after being closed for a week, saying authorities had regained control of the situation.
Iran admits 5,000 killed, toll may be far higher
Earlier in the evening, Pezeshkian warned that any attack on Iran’s supreme leader, Ali Khamenei, would be considered a declaration of all-out war against the Iranian nation, and that the Islamic Republic’s response to any military aggression would be severe and regrettable. His remarks followed comments a day earlier by former U.S. ambassador to Israel Dan Shapiro, who said he believed President Donald Trump would attempt to kill Khamenei as early as this week.
In a post on the X platform on Sunday evening, Pezeshkian wrote: “If there are difficulties and hardships in the lives of the dear people of Iran, one of the main causes is the long-standing hostility and inhumane sanctions imposed by the U.S. government and its allies. Any harm to the supreme leadership of our country would amount to a declaration of all-out war against the Iranian nation.”
Trump has signaled in recent days that he has decided, for now, to pause any strike on Iran—falling short of the promise he made to the Iranian people at the height of the unrest a week and a half ago that “help is on the way,” urging them to continue fighting the regime. Still, over the past 24 hours, threats and insults have again been exchanged between Trump and Iran’s leadership. In the background, the United States continues to move an aircraft carrier and forces suited for a large-scale strike closer to the Middle East, leading many to believe the likelihood of a U.S. attack remains high.
In a series of posts on X, Khamenei on Saturday harshly attacked Trump, claiming the United States was responsible for the wave of protests sparked by Iran’s dire economic situation. “Responsibility must be placed on the United States,” he wrote, adding: “We find the U.S. president guilty of all the losses, damages and slander.” Trump responded in an interview with Politico, calling Khamenei a sick man and saying, “It’s time to look for new leadership in Iran.”
On Sunday morning, an Iranian official told Reuters that at least 5,000 people have been killed in the crackdown on protests since the beginning of the month. He said the dead included about 500 members of the security forces and, in line with the regime’s official narrative, blamed the deaths of “innocent civilians” on “terrorists and armed rioters,” whom he claimed were armed by Israel and other foreign actors. A day earlier, Khamenei himself acknowledged that “thousands” had been killed in the suppression of the protests, also pointing the finger at the United States, Trump and “the Zionists,” as he put it.
According to the Iranian official who spoke to Reuters, the final death toll is not expected to rise significantly. However, unverified reports suggest the number of fatalities is far higher. Britain’s Sunday Times reported Sunday morning that, according to doctors in Iran, the death toll may exceed 16,000. Citing a medical report compiled inside Iran and leaked by doctors using Starlink, the paper said between 16,500 and 18,000 protesters had been killed and about 330,000 wounded, including children and pregnant women.
On Saturday night, the U.S.-based Human Rights Activists News Agency (HRANA), which reports on Iran through a network of activists, said it had verified 3,308 protest-related deaths, but was still investigating another 4,382 cases, meaning the toll could rise sharply. HRANA said more than 24,000 protesters had been arrested, and despite Trump’s claim that Iran halted 800 planned executions of detainees, it is highly possible that many will eventually be tried and executed, as Iran has done after previous protest waves, including the 2022 “hijab protests.”
bleepingcomputer.com
By Lawrence Abrams
January 15, 2026
Exclusive: Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands.
"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer.
"We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."
Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted.
However, the company confirmed that it is working with a third-party cybersecurity firm and has notified law enforcement.
Last month, Grubhub was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments.
Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident.
It is unclear if the two incidents are connected.
Extorted by hackers
While Grubhub would not share further details, multiple sources have told BleepingComputer that the ShinyHunters cybercrime group is extorting the company.
BleepingComputer attempted to verify these claims with the threat actors, but they refused to comment.
According to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and newer Zendesk data that was stolen in the recent breach.
Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues, and billing.
While it is unclear when the breach occurred, BleepingComputer was told that it was through secrets/credentials stolen in the recent Salesloft Drift data theft attacks.
In August, threat actors used stolen OAuth tokens for Salesloft's Salesforce integration to conduct a data theft campaign between August 8 and August 18, 2025.
According to a report by Google's Threat Intelligence team (Mandiant), the stolen data was then used to harvest credentials and secrets to conduct follow-up attacks on other platforms.
"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google.
ShinyHunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables for 760 companies.
As threat actors continue to abuse previously stolen Salesforce data to carry out follow-on attacks, organizations impacted by the Salesloft Drift breaches must rotate all affected access tokens and secrets as soon as possible if they have not already done so.
| Commsrisk
By
Eric Priezkalns
19 Jan 2026
The scourge of smishing messages sent by rogue base stations is spreading across Europe but national leaders ignore the underlying security threat.
Police have announced the first ever arrests of smishing SMS blaster scammers in Greece. Regular readers of Commsrisk will anticipate all the essential facts of the case: a false base station was carried in the back of a car; the car was driven through densely populated suburbs of Athens, a major metropolitan area; the phones of victims were downgraded to 2G to bypass the security protocols of subsequent generations; victims received SMS messages that impersonated banks and contained links to phishing websites. But perhaps the most important common factor was that the two driver-operators of the SMS blaster were Chinese.
The arrests in Greece relied upon dumb luck rather than technologies that identify and pinpoint fake base stations. An employee of a shopping mall in Spata, an eastern district of Athens, warned police that two Chinese customers had behaved suspiciously. The police stopped and questioned the Chinese, who presented forged identity documents. The police then proceeded to search their car, where they found an SMS blaster and associated equipment. Three actual cases of fraud have since been tied to messages sent by the SMS blaster. The victims in these cases respectively reside in Spata, in downtown Athens, and in Maroussi, a northern suburb of Athens.
Greek police released an image of the equipment they found; this has been reproduced at the bottom of the article. Regular readers will also recognize another element commonly seen in photographs of devices seized during SMS blaster busts worldwide: a DC-to-AC electricity converter in the distinctive orange case of Chinese manufacturer NFA. We have also collated images of NFA converters that powered SMS blasters in Hong Kong, Japan, Malaysia, the Philippines, Qatar, Serbia, Thailand, Türkiye and the United Kingdom. There is nothing illegal about making and selling devices that convert DC electricity to AC, but the use of the same Chinese manufacturer’s equipment by Chinese criminals arrested in such a wide spread of countries would suggest common supply chains are enabling the intercontinental spread of SMS blaster crime.
A lot is said about the need for collaboration to reduce fraud but the extent of voluntary collaboration can be gauged by:
the widespread, but often unacknowledged dependence on this website to monitor and analyze information about SMS blaster crime from around the world; and
the information provided here for free is not even quoted correctly by the authorities.
The Greek authorities advised their local press that Greece is the fifth European country to be attacked using an SMS blaster. Commsrisk’s open source intelligence is evidently having an impact because press reports of earlier busts usually featured ineptly random lists of a few places where SMS blasters had been found before. The SMS blaster map on our Global Fraud Dashboard shows that Greece is at least the sixth country in Europe to discover smishing messages from SMS blasters carried by car. The other five European countries are, in chronological order of when their cases were reported: France, Norway, the United Kingdom, Switzerland and Serbia. Fake base stations that transmitted SMS messages have also been identified in Türkiye although the Turkish authorities insist those devices were used for espionage instead of smishing fraud. Note also that a Chinese national based in Istanbul was involved in the supply of those fake base stations and that an NFA power converter was used in conjunction with one of them.
The new case from Athens has been added to our SMS blaster map. If you believe a useful purpose is served by the open source intelligence that is automatically harvested by our Global Fraud Dashboard then please consider donating to the crowdfunding campaign we will launch soon. The goal is to finance the development work for a massive expansion of the number of charts on the dashboard and the range of data sources that it monitors.
I draw one overriding conclusion from the general ignorance surrounding the spread of SMS blaster crime: national authorities are not gathering and exchanging intelligence that would help them anticipate the spread of international crimes involving communications tech. They do not formulate plans to protect the public until they have identified crimes occurring within their jurisdictions. If detection depends on dumb luck, as it has in many of the European cases, then a lot of crime can occur before the authorities will react. This is a dangerous approach when dealing with crimes involving electronic communications as they are easily spread to new countries. Insufficient importance is attached to systematically detecting these crimes even though a few countries have researched and implemented technologies to proactively identify SMS blasters. Nor are we thinking strategically about safety. A rogue base station can be used for smishing fraud, or for espionage, or to spread panic.
If I were Vladimir Putin, a former spook with a penchant for destabilizing other countries through black ops and disinformation, then I would be laughing at European governments that talk a lot about preparing for conflict but have not modified mobile networks to reveal how many fake base stations are being transported around the continent. The invasion of Ukraine has prompted a rapid evolution in the ways electronic communications are exploited for warfare. Manufacturers of military drones commonly advertise versions that carry IMSI-catchers, a kind of surveillance device that mimics base stations in much the same way that SMS blasters do. Meanwhile, Europe remains so blasé about SMS blasters that a Chinese national could rent a car in, say, Estonia or Bulgaria, then drive it the whole way to Portugal or Italy, blasting SMS messages along the entire route, without anyone trying to stop him. The method is currently being used for fraud but it could just as easily spread disinformation with the intention to cause mayhem ahead of an invasion.
My guess (and hope) is that 2026 will be the year when most European police and governments will finally stop pretending that SMS blasters are a ‘new’ problem that will simply go away if they ignore it. To put the current European situation into context, consider that the mushrooming of SMS blaster crime was witnessed a decade ago across a similarly-sized geographic region. Chinese legal reports show there had already been over 1,600 separate prosecutions involving fake base stations by 2016. The Chinese authorities responded by taking radical action to punish the manufacture and sale of SMS blasters as well as their use by criminals. It seems they care less about the export of SMS blasters now that the domestic threat has been quelled.
Instead of learning from China’s example, European authorities behave as if there is no need to proactively tackle the supply of SMS blasters. I doubt Europe has the same determination to fight crime as the authorities in China, even if it was capable of marshaling and coordinating resources in the way the Chinese Communist Party can. Fearing they might be overwhelmed by exports from China, various East Asian countries have banned the importation of SMS blasters and run sting operations to disrupt supply lines.
Meanwhile, false base stations can openly be bought through websites — on condition they are never used within China — and Western internet firms including Google do nothing about adverts that promote their sale. Those involved in European legislation and regulation dither over how to write a definition of SMS blasters that can be used to make them illegal without prohibiting legitimate radio telecoms equipment. Presumably these dunderheads will later do what they always do: wait for a crisis to occur then seek praise for reacting to it while pretending there was no way to anticipate it.
Look immediately below for the Greek police photograph of the equipment they seized, and keep scrolling for comparative photos of NFA converters used to power SMS blasters found in (clockwise from top left): Hong Kong; Malaysia; Thailand; Türkiye; the United Kingdom; Manila in the Philippines; Bulacan in the Philippines; Serbia; Qatar; and Japan.
therecord.media
Suzanne Smalley
January 12th, 2026
Hungary has granted political asylum to Poland's former justice minister, Zbigniew Ziobro, who is being prosecuted for his role in a spyware scandal that has rocked the country.
Hungary has granted political asylum to Poland's former justice minister, Zbigniew Ziobro, who is being prosecuted for his role in a spyware scandal that has rocked the country.
Ziobro is facing dozens of charges for allegedly embezzling money meant for crime victims to pay for spyware used to snoop on the devices of political opponents.
One of the highest profile people implicated in Poland’s sprawling spyware scandal, Ziobro said on X that he intends to accept Hungary’s asylum offer “due to the political persecution in Poland.”
“I have decided to remain abroad until genuine guarantees of the rule of law are restored in Poland,” Ziobro posted. “I believe that instead of acquiescing to being silenced and subjected to a torrent of lies—which I would have no opportunity to refute—I can do more by fighting the mounting lawlessness in Poland.”
Ziobro served as justice minister from 2015 until 2023 and stands accused of helping facilitate a massive spyware operation that current Police Prime Minister Donald Tusk has alleged involved snooping on nearly 600 people.
In September 2024, a Senate commission investigating the scandal said it had found "gross violations of constitutional standards.”
It is unusual for a country within the European Union to offer asylum to a criminal defendant facing prosecution elsewhere in the bloc. Hungarian Prime Minister Viktor Orban is politically aligned with Ziobro, a member of the right-wing Law and Justice (PiS) party, and has his own history with spyware, however.
In December 2024, another former Justice Ministry official, Marcin Romanowski, claimed asylum in Hungary after facing charges for his alleged role in the spyware operation.
techcrunch.com
Lorenzo Franceschi-Bicchierai
11:15 AM PST · January 8, 2026
The infamous spyware maker released a new transparency report claiming to be a responsible spyware maker, without providing insight into how the company dealt with problematic customers in the past.
NSO Group, one of the most well-known and controversial makers of government spyware, released a new transparency report on Wednesday, as the company enters what it described as “a new phase of accountability.”
But the report, unlike NSO’s previous annual disclosures, lacks details about how many customers the company rejected, investigated, suspended, or terminated due to human rights abuses involving its surveillance tools. While the report contains promises to respect human rights and have controls to demand its customers do the same, the report provides no concrete evidence supporting either.
Experts and critics who have followed NSO and the spyware market for years believe the report is part of an effort and campaign by the company to get the U.S. government to remove the company from a blocklist — technically called the Entity List — as it hopes to enter the U.S. market with new financial backers and executives at the helm.
Last year, a group of U.S. investors acquired the company, and since then, NSO has been undergoing a transition that included high-profile personnel changes: former Trump official David Friedman was appointed the new executive chairman; CEO Yaron Shohat stepped down; and Omri Lavie, the last remaining founder who was still involved in the company, also left, as Israeli newspaper Haaretz reported.
“When NSO’s products are in the right hands within the right countries, the world is a far safer place. That will always be our overriding mission,” Friedman wrote in the report, which does not mention any country where NSO operates.
Natalia Krapiva, the senior tech-legal counsel at Access Now, a digital rights organization that investigates spyware abuses, told TechCrunch: “NSO is clearly on a campaign to get removed from the U.S. Entity List and one of the key things they need to show is that they have dramatically changed as a company since they were listed.”
“Changing the leadership is one part and this transparency report is another,” said Krapiva.
“However, we have seen this before with NSO and other spyware companies over the years where they change names and leadership and publish empty transparency or ethics reports but the abuses continue.”
“This is nothing but another attempt at window dressing and the U.S. government should not be taken for a fool,” said Krapiva.
Ever since the Biden administration added NSO to the Entity List, the company has lobbied to have its restrictions lifted. After President Donald Trump took office again last year, NSO intensified these efforts. But, as of May last year, NSO had failed to sway the new administration.
In late December, the Trump administration lifted sanctions against three executives tied to the Intellexa spyware consortium, in what some saw as a sign of a shift in the administration’s attitude toward spyware makers.
A lack of details
This year’s transparency report, which covers 2025, has fewer details than reports from previous years.
In an earlier transparency report covering 2024, for example, NSO said it opened three investigations of potential misuse. Without naming the customers, the company said it cut ties with one, and imposed on another customer “alternative remediation measures,” including mandating human rights training, monitoring the customer activities, and requesting more information about how the customer uses the system. NSO did not provide any information about the third investigation.
NSO also said that during 2024, the company rejected more than $20 million “in new business opportunities due to human rights concerns.”
In the transparency report published the prior year, covering 2022 and 2023, NSO said it suspended or terminated six government customers, without naming them, claiming these actions resulted in a revenue loss of $57 million.
In 2021, NSO said it had “disconnected” the systems of five customers since 2016 following an investigation of misuse, resulting in more than $100 million in “estimated loss of revenue,” and it also said that it “discontinued engagements” with five customers due to “concerns regarding human rights.”
NSO’s newest transparency report does not include the total number of customers NSO has, statistics that have been consistently present in previous reports.
TechCrunch asked NSO spokesperson Gil Lanier to provide similar statistics and figures, but did not receive answers by press time.
John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses for more than a decade, criticized NSO.
“I was expecting information, numbers,” Scott-Railton told TechCrunch. “Nothing in this document allows outsiders to verify NSO’s claims, which is business as usual from a company that has a decade-long history of making claims that later turned out to be misrepresentation.”
| CNN
cnn.com
By
Helen Regan
A prominent tycoon wanted by United States federal prosecutors for allegedly running one of Asia’s largest transnational criminal networks has been arrested and extradited to China, Cambodian authorities and Chinese state media said.
Chen Zhi, 38, a national of China and Cambodia, was extradited on Tuesday after a months-long investigation by the two countries, Cambodia’s Interior Ministry said in a statement a day later. Chen’s Cambodian citizenship had been revoked, the ministry added.
The operation was conducted at the request of the Chinese government, the ministry said, though it is unclear what charges Chen faces in China. He was arrested alongside two other Chinese nationals.
Chen is the founder and chairman of Prince Group, which bills itself as one of Cambodia’s biggest conglomerates, with investments in luxury real estate, banking services, hotels, and major construction developments.
But US federal prosecutors say his business empire was fueled by forced labor and cryptocurrency scams that conned victims the world over and at one point were allegedly earning Chen and his associates $30 million every day.
In October, the US Treasury Department and UK Foreign Office sanctioned Prince Group and dozens of its affiliates, designating them transnational criminal organizations. Chen was charged in absentia in New York with money laundering conspiracy and wire fraud conspiracy, along with several associates.
Prosecutors also seized $15 billion in cryptocurrency from Chen following a years-long investigation, in what the Justice Department said was the largest forfeiture action in its history.
Since the indictment was announced, several other jurisdictions including Singapore, Thailand, Hong Kong and Taiwan announced seizures or freezes of hundreds of millions of dollars in assets linked to Chen.
CNN has reached out to lawyers representing Prince Group for comment on Chen’s arrest. Prince Group has previously denied engaging in unlawful activity, calling the allegations “baseless” and “aimed at justifying the unlawful seizure of assets,” according to a statement published on its website.
Chinese state media CCTV released footage Thursday of a handcuffed and hooded Chen being escorted from an airplane by Chinese security forces following his extradition.
“At present, Chen Zhi has been placed under compulsory criminal measures in accordance with the law, and the related cases are under further investigation,” the Ministry of Public Security said in a statement. It described Chen as “the ringleader of a major cross-border online gambling and fraud criminal syndicate.”
Chinese authorities will also issue wanted notices “for the first group of key members of the Chen Zhi criminal syndicate and will resolutely apprehend all fugitives and bring them to justice,” a ministry official said.
Cambodia has recently come under more pressure to act against the scam networks operating within its borders. In its statement, the interior ministry said Chen’s arrest was “within the scope of cooperation in combating transnational crime.”
The United Nations Office of Drugs and Crime has said the criminal networks that run the scam hubs are evolving at an unprecedented scale, despite highly publicized crackdowns last year.
“This arrest reflects sustained international pressure finally reaching a point where continued inaction became untenable for Phnom Penh,” said Jacob Sims, visiting fellow at Harvard University’s Asia Center and a transnational crime expert.
“It defused escalating Western scrutiny while aligning with Beijing’s likely preference to keep a politically sensitive case out of US and UK courts.”
What does arrest mean for US charges?
Analysts say Chen’s extradition to China will mean it is “highly unlikely” he will face justice in the US, at least in the short term. China does not have an extradition treaty with the US and the two countries are embroiled in a deepening geopolitical and economic rivalry.
“This outcome effectively shields Chen from US jurisdiction,” said Sims.
The global scam industry, much of it centered in Southeast Asia, is estimated to be worth between $50 billion and $70 billion. In 2023 it conned victims in the United States alone out of at least $10 billion dollars.
The massive industry relies on hundreds of thousands of people who have been trafficked or lured to work in heavily guarded scam compounds, where they are forced to carry out investment or romance scams known as “pig butchering,” to con ordinary people out of their life savings.
US prosecutors allege Chen and others operated at least 10 forced labor camps across Cambodia since 2015 to engage in cryptocurrency investment schemes under the threat of violence.
Authorities allege they laundered criminal proceeds through the business and bribed government officials to stay ahead of criminal investigations and raids on the compounds.
Prince Group, American and British authorities allege, was the umbrella for more than 100 shell companies and entities allegedly used to funnel laundered cash across 12 countries and territories from Singapore to St Kitts and Nevis.
Chen and others used the stolen money to buy Picasso artwork, private jets and properties in upscale neighborhoods of London, as well as supplying bribes to public officials, according to prosecutors in New York.
Analysts say Chen faces a number of outstanding legal issues in China, though the charges remain opaque and have not compelled his extradition until now.
“What is clear, however, is that Beijing has strong incentives to handle this quietly and internally, given the political sensitivities surrounding his business empire, its regional ties, and in particular, a number of reported ties to various Chinese government officials,” Sims said.
The activist website called “ICE List” was offline after a massive DDoS attack. The crash followed a leak of 4,500 federal agent names linked to the Renee Nicole Good shooting.
The website ICE List, also known as the (ICE List Wiki), was crippled by a major cyber attack after it prepared to publish the identities of thousands of federal agents in the United States, particularly those associated with Immigration and Customs Enforcement, ICE.
The site’s founder, Netherlands-based activist Dominick Skinner, confirmed that a massive DDoS attack began flooding their servers on Tuesday evening last week.
For your information, a DDoS attack works by flooding a website with so much fake traffic that it eventually crashes. Skinner told reporters that the length and intensity of this attack suggest a deliberate, organised effort to keep the leaked information from reaching the public.
The Shooting That Sparked the Leak
According to The Daily Beast, the data at the centre of this battle was provided by a whistleblower from the Department of Homeland Security (DHS). The leak reportedly includes the names, personal phone numbers, and work histories of roughly 4,500 employees from ICE and Border Patrol.
Further probing revealed that the whistleblower was moved to act following the death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026.
Within hours of the shooting, activists managed to identify the agent involved as Jonathan E. Ross. Skinner noted that for the whistleblower, this tragic incident was the “last straw,” leading them to hand over a dataset full of work emails, job titles, and résumé-style background info.
Identifying the Attackers
While the site is back online, Skinner observed that much of the malicious traffic appeared to originate from a bot farm in Russia. However, it is nearly impossible to track the true source, as in the world of hacking, proxies are often used to bounce signals through different countries to hide a person’s tracks. Skinner described the attack as “sophisticated,” suggesting that the attackers are highly determined to keep the names hidden.
Skinner’s team continues to operate out of the Netherlands to stay beyond the immediate reach of US authorities. Despite the crash, they remain committed to the project with plans to move to more secure servers. They plan to publish most of the names, though they intend to omit certain staff members, such as nurses or childcare workers.
digital-strategy.ec.europa.eu
DIGIBYTE
Publication 12 January 2026
The European Commission has launched a call for evidence on the upcoming European Open Digital Ecosystem Strategy - an initiative that will support EU ambitions to secure technological sovereignty.
The European Commission has launched a call for evidence on the upcoming European Open Digital Ecosystem Strategy - an initiative that will support EU ambitions to secure technological sovereignty.
A person in front of a laptop, with icons related to data analysis and open-source data hovering above.
GettyImages © Khanchit Khirisutchalual
Boosting European technological sovereignty is a key priority for the Commission with the open source sector considered particularly important to European ambitions. The Commission plans to set out a strategic approach to the open source sector in the EU and present a review of the 2020-2023 open source software strategy.
While across the EU there are thriving communities of open source developers whose work is aligned with EU digital rights and principles, European governments and companies are heavily dependent on non-EU digital technologies, hampering choice, competitiveness and creating challenges for cybersecurity. Open source software underpins 70-90% of all code in the digital economy, yet of the value generated by European open-source communities flows outside the EU, often benefiting tech giants elsewhere. With the importance of open source only growing, such as in key sectors such as high-performance computing and edge computing, a strategic approach is critical.
However, EU stakeholders face significant barriers including limited access to growth capital, and essential infrastructure. Supporting communities through research programmes alone has proven insufficient for successful scaling of open source solutions.
The forthcoming strategy will complement the forthcoming Cloud and AI Development Act and builds on successful EU initiatives such as the Next Generation Internet programme and the recently launched Digital Commons European Digital Infrastructure Consortium (EDIC).
The Commission invites input from open source communities, developers, companies, public administrations, industry, and research institutions. Stakeholders are specifically asked to identify barriers to open source adoption, demonstrate the added value of open source and share suggestions for concrete EU level measures to strengthen the ecosystem.
The final strategy, expected in Q1 2026, will establish a comprehensive framework supporting the entire open source lifecycle from development to market integration.
The consultation will close on 3 February 2026. Feedback can be submitted on the Commission Have Your Say platform.
| TechCrunch
techcrunch.com/
Lorenzo Franceschi-Bicchierai
12:01 PM PST · January 16, 2026
Nicholas Moore pleaded guilty to stealing victims’ information from the Supreme Court and other federal government agencies, and then posting it on his Instagram @ihackthegovernment.
A hacker posted the personal data of several of his hacking victims on his Instagram account, @ihackthegovernment, according to a court document.
Last week, Nicholas Moore, 24, a resident of Springfield, Tennessee, pleaded guilty to repeatedly hacking into the U.S. Supreme Court’s electronic document filing system. At the time, there were no details about the specifics of the hacking crimes Moore was admitting to.
On Friday, a newly filled document — first spotted by Court Watch’s Seamus Hughes — revealed more details about Moore’s hacks. Per the filing, Moore hacked not only into the Supreme Court systems, but also the network of AmeriCorps, a government agency that runs stipend volunteer programs, and the systems of the Department of Veterans Affairs, which provides healthcare and welfare to military veterans.
Moore accessed those systems using stolen credentials of users who were authorized to access them. Once he gained access to those victims’ accounts, Moore accessed and stole their personal data and posted some online to his Instagram account: @ihackthegovernment.
In the case of the Supreme Court victim, identified as GS, Moore posted their name and “current and past electronic filing records.”
In the case of the AmeriCorps victim, identified as SM, Moore boasted that he had access to the organization’s servers and published the victim’s “name, date of birth, email address, home address, phone number, citizenship status, veteran status, service history, and the last four digits of his social security number.”
And, in the case of the victim at the Department of Veterans Affairs, identified as HW, Moore posted the victim’s identifiable health information “when he sent an associate a screenshot from HW’s MyHealtheVet account that identified HW and showed the medications he had been prescribed.”
According to the court document, Moore faces a maximum sentence of one year in prison and a maximum fine of $100,000.
securityweek.com
By Eduard Kovacs| January 13, 2026 (12:09 PM ET)
The law firm Fried Frank seems to be informing high-profile clients about a recent data security incident.
PMorgan Chase is informing some investors about a data breach stemming from a recent cybersecurity incident at an outside law firm. The same incident triggered a similar data breach notice from Goldman Sachs in December 2025.
The Maine Attorney General’s Office requires companies that have suffered a data breach impacting the state’s residents to submit a report and a copy of the notification letter sent to affected individuals.
JPMorgan Chase submitted such a notification to the Maine AGO on Tuesday, revealing that investors in a private equity fund have been impacted by a data breach linked to an incident at the law firm Fried, Frank, Harris, Shriver & Jacobson LLP.
The notification letters reveal that an “unauthorized third party” copied files from a Fried Frank shared network drive. Some of the files contained the personal information of individuals who invested in the JPMorgan fund.
The compromised information includes names, contact information, account numbers, SSNs, and passport or other government ID numbers.
JPMorgan told the Maine AGO that a total of 659 individuals are affected by the data breach.
The banking giant’s disclosure mirrors a similar warning issued by Goldman Sachs in late 2025.
According to Goldman’s notification to impacted investors, Fried Frank told the company that “based on the steps it has taken to date, it believes that any data exposed in the incident is unlikely to be distributed or used improperly”.
Both Wall Street titans highlighted that their own systems were not compromised.
Fried Frank is facing lawsuits over the data breach.
It’s unclear who is behind the intrusion. SecurityWeek has not seen any ransomware group taking credit for an attack on Fried Frank. If it was indeed a ransomware attack, the law firm may have paid a ransom, which would be consistent with its statement about the unlikely abuse of the data.
SecurityWeek has reached out to Fried Frank for additional information and will update this article if the company responds.
The Brussels Times
Tuesday, 13 January 2026
By
The Brussels Times with Belga
The AZ Monica hospital in Antwerp was targeted by a cyberattack on Tuesday, with a full-scale investigation now launched.
The hospital detected a serious IT system disruption around 6:30 am and, as a precaution, shut down its servers at both the Deurne and Antwerp campuses. It is not yet clear whether patient data has been compromised.
All scheduled procedures were postponed on Tuesday, impacting a minimum of 70 surgeries across both campuses. Seven patients were proactively transferred to another hospital.
The motives behind the cyberattack remain unknown. Unconfirmed reports within the hospital suggest the hackers may be demanding ransom, but neither the public prosecutor nor the hospital’s CEO has confirmed these claims.
Access to AZ Monica remains possible, and its emergency department is operational, albeit in a limited capacity.
However, MUG and PIT emergency services are temporarily unavailable. The hospital emphasised that its primary focus continues to be patient safety and care continuity.
thepinknews.com
Jan 06
Written by Sophie Perry
The website belonging to the Free Speech Union (FSU) is down after a trans activism group BASH BACK hacked it and exposed its list of donors.
The Free Speech Union's website is current unavailable (PinkNews)
The website belonging to the Free Speech Union (FSU) is down after trans activism group BASH BACK hacked it and exposed its list of alleged donors.
The group, which vandalised offices belonging to the Equality and Human Rights Commission (EHRC) in London in October, published a list of names of people who have allegedly donated to the FSU’s various campaigns.
Shortly after publication of PinkNews’ article, the BASH BACK website also went down, with a 404 error page visible instead.
The freedom of speech organisation, founded by Conservative peer and journalist Toby Young, was said – according to GB News – to be undertaking an “independent security briefing” into BASH BACK, inspired by an article in the Daily Mail which detailed future BASH BACK targets, including the offices of health secretary Wes Streeting and prime minister Keir Starmer.
At the time of that article’s publication, BASH BACK stated the information about its targets was publicly available information.
“The Free Speech Union commissioned a ‘security’ report on us,” BASH BACK wrote on BlueSky on Monday (5 January), “so we tested their security. Turns out – it sucks.”
By Monday evening the FSU’s website was unavailable and stated “maintenance mode is on” but by Tuesday morning a 404 error code appears when attempting to access it.
PinkNews will not publish any of the names listed in the hacked list, and is also unable to verify its content.
A spokesperson for BASH BACK described the FSU in a statement as an “organisation for defending bigots”.
“Instead of fighting for the free speech of pro-Palestine activists, such as the prisoners currently on hunger strike, they move heaven and earth to defend every sexist, racist, and transphobe that crosses their path,” they wrote.
“The FSU has said nothing about the police banning the use of common Arabic phrases, the abuse of activists in prison, or the censorship imposed on the public around Britain’s involvement in genocide.
“Instead, their focus is on defending those who preach hatred. The public deserves to know who is funding the FSU’s activities, and we are glad to be able to reveal it.”
They went on to state the FSU “purports to be an advocacy group for freedom of expression” but instead “represent a security fund for attention-seeking reactionaries backed by the ultra-wealthy”.
“They use their funders’ deep pockets to repress ordinary people and impose a two-tier justice system where wealthy transphobes and racists can preach hate whilst those who oppose genocide are imprisoned and abused, or otherwise subject to police violence,” the spokesperson continued.
“In a time where free speech is under attack, not by ‘wokism’ or minorities, but by an increasingly authoritarian state, the so-called ‘Free Speech Union’ sets its sights instead on protecting powerful bigots from the consequences of their public tantrums.”
9to5mac.com
Arin Waichulis
| Jan 9 2026 - 7:19 am PT
Mosyle, a popular Apple device management and security firm, has exclusively shared details with 9to5Mac on a previously unknown macOS malware campaign. While crypto miners on macOS aren’t anything new, the discovery appears to be the first Mac malware sample uncovered in the wild that contains code from generative AI models—officially confirming what was inevitable.
At the time of discovery, Mosyle’s security research team says the threat was undetected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums indicating how large language models were being used to write malware targeting macOS.
The campaign, which Mosyle is calling SimpleStealth, is spreading through a convincing fake website impersonating the popular AI app, Grok. The threat actors are using a look-alike domain to trick users into downloading a malicious macOS installer. When launched, victims are presented with what appears to be a full-functioning Grok app that looks and behaves like the real thing. This is a common technique used to keep the application front and center while malicious activity quietly runs in the background, allowing the malware to operate longer without being noticed.
According to Mosyle, SimpleStealth is designed to bypass macOS security safeguards during its first execution. The app prompts the user for their system password under the guise of completing a simple setup task. This allows the malware to remove Apple’s quarantine protections and prepare its true payload. From the user’s perspective, everything appears normal as the app continues to display familiar AI-related content that the real Grok app would.
Behind the scenes, however, the malware deploys the stealthy Monero (XMR) crypto miner that boasts having “quicker payouts” and being “confidential and untraceable” on its website. To stay hidden, the mining activity only starts when the Mac has been idle for at least a minute and stops immediately when the user moves the mouse or types. The miner further disguises itself by mimicking common system processes like kernel_task and launchd, making it far harder for users to spot abnormal behavior.
In evidence seen by 9to5Mac, the use of AI is found throughout the malware’s code, which features unusually long-winded comments, a mix of English and Brazilian Portuguese, and repetitive logic patterns that are characteristic of AI-generated scripts.
Overall, this situation is alarming for several reasons. Primarily because AI is lowering the barrier to entry for attackers faster than concerns around ‘malware-as-a-service’ could ever. Virtually anyone with internet access can now craft samples like SimpleStealth, significantly accelerating the pace at which new threats can be created and deployed.
The best way to stay safe is to avoid downloading anything from third-party sites. Always source your apps directly from the Mac App Store or directly from developer websites you trust.
Indicators of Compromise
Below you can find the Indictors of Compromise (IoCs) of the SimpleStealth sample for your own research or to improve detection at your organization. Exercise caution around visiting any observed domains.
Malware family: SimpleStealth
Distribution name: Grok.dmg
Target platform: macOS
Observed domain: xaillc[.]com
| The Verge
by
Terrence O'Brien
Jan 11, 2026, 6:26 PM GMT+1
The company claims there was no breach of its systems.
Instagram says it fixed the issue that sent password reset emails and that there was no breach of its systems.
If you’re one of the many, many people who received a password reset email from Instagram the other day, the company says it fixed the issue. What was the issue? Unclear. We reached out to Meta for clarification and have yet to receive a response. All we know is that an “external party” triggered the emails, and Instagram says you can safely ignore them.
The company posted on X that the issue had been fixed and also claimed there was no breach of its systems. This seemingly contradicts reports from Malwarebytes, which said that information on 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, and email addresses, was available on the dark web.
eurogamer.net
News by Connor Makar Staff Writer
Published on Jan. 6, 202
Final Fantasy 14 is suffering DDOS attacks on its American servers during the release of the latest Savage raid.
Final Fantasy 14 has released its latest Savage-tier raid today, pushing the game's best and brightest to race through this new challenge group content to earn powerful loot and see which region can take it down first. However, for Americans, this is proving difficult due to ongoing DDOS attacks and server outages.
With the release of patch 7.4 last month, players were welcomed back to the game with a bunch of new content to pour over. The Savage difficulty for the Heavyweight raid, which was delayed until after the holiday season, has just come out resulting in the usual rush to see which team can take it down first.
The problem comes from DDOS attacks. American players, obviously present on different servers than like-minded raiders in other regions, are facing a spree of connection issues as the servers are bombarded with digital assaults from nefarious parties. Checking the FF14 server status page, you can see a sizable portion of America servers under strain.
This has resulted in chaos for the race for world first Heavyweight Savage clears, as American teams are scrambling to contend with these extra hurdles. Players looking to temporarily hop to different servers, such as Oceania's Materia server cluster, aren't safe from these attacks either. The only way to dodge such attacks at this time appears to be a full-on server transfer to another region, which would add additional latency to play which top-end players tackling difficult content wouldn't want anyway. A messy situation.
Funnily enough, it appears as though Japanese servers are largely doing just fine during the initial release of Savage Heavyweights so far! This is both good and bad. It's good because these server outages are annoying and the less people experience them the better. It's bad because, from the perspective of competitive raiders looking to race each other to a world first clear, it adds a degree of unfairness to the mix. It takes what should be a joyful moment and sours it.
Unfortunately, this Savage raid release isn't the first time problems like these have hit Final Fantasy 14. In fact, it was only around two weeks ago when the American servers suffered several DDOS attacks. For Western FF14 players, this is a problem in desperate need of addressing, especially now that it's impacted one of the more climactic moments in the Dawntrail expansion's life cycle.
A short post on the Final Fantasy 14 website has acknowledged the problem, and states that it's being looked into. However, given the time sensitive nature of these Savage raid races, it's possible for the most dedicated FF14 players, the damage has been done.
therecord.media
Jonathan Greig
January 2nd, 2026
The claims administration company Sedgwick confirmed that a subsidiary that contracts with a handful of sensitive federal agencies is dealing with a cybersecurity incident.
Claims administration company Sedgwick confirmed that its government-focused subsidiary is dealing with a cybersecurity incident.
On New Year’s Eve, the TridentLocker ransomware gang claimed it attacked Sedgwick Government Solutions and stole 3.4 gigabytes of data.
A Sedgwick spokesperson confirmed the company is currently addressing a security incident at the subsidiary, which provides claims and risk management services to federal agencies like the Department of Homeland Security (DHS), Immigration and Customs Enforcement, Customs and Border Protection, Citizenship and Immigration Services, the Department of Labor, and the Cybersecurity and Infrastructure Security Agency (CISA).
“Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation of the affected isolated file transfer system,” the spokesperson said.
“Importantly, Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected. Further, there is no evidence of access to claims management servers nor any impact on Sedgwick Government Solutions ability to continue serving its clients.”
The company has notified law enforcement and is in contact with its customers about the incident.
CISA and DHS did not respond to requests for comment. The company also provides services to municipal agencies in all 50 states as well as the Smithsonian Institution and the Port Authority of New York and New Jersey.
TridentLocker is a new ransomware gang that emerged in November, cybersecurity experts said. The group previously took credit for an attack on the Belgian postal and package delivery service bpost, which confirmed that it recently suffered from a data breach.
The group has listed a total of 12 victims on its leak site since its emergence.
Ransomware gangs have repeatedly targeted federal government contractors like Sedgwick. More than 10 million people had information leaked after the prominent government contractor Conduent was attacked one year ago.
SWI swissinfo.ch
Keystone-SDA
January 8, 2026 - 12:18
Swiss defence minister denounces increasing stream of disinformation from Russia.
Pfister interprets this as an attempt to influence Swiss politics and to unsettle the population.
The fact that Russia wants to influence the West with hybrid conflict management is nothing new – nor is the fact that Switzerland is increasingly affected by this. But rarely has a government minister condemned Russian “conspiracy narratives”, as Pfister called them, so clearly.
“Russia in particular has been increasingly attacking Switzerland with influence operations since 2022,” he said during a speech at a Swiss media industry event.
Russia primarily spreads disinformation and propaganda in Switzerland, claiming, among other things, that Switzerland is no longer neutral, no longer democratic and no longer safe.
Pfister gave a concrete example at the publishers’ meeting. In an influencing activity last May, pro-Russian accounts distributed a video from Geneva taken out of context in a coordinated manner on seven social media platforms and in all official Swiss languages.
“This supposedly showed that Switzerland was sinking into chaos,” said Pfister. The posts were viewed over two million times within a short space of time.
The two well-known Russian disinformation platforms Russia Today and Pravda alone disseminate between 800 and 900 articles per month in Switzerland, Pfister added. If such narratives continue unchecked, a society becomes vulnerable.
Swiss media publishers could play a decisive role in such an environment, Pfister said. “A healthy media system is also part of the Swiss security architecture.”
Especially in times of technological change and geopolitical uncertainty, the media need to fulfil their responsibilities more than ever.