The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation

Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

With no patch available, Windows users are left with a limited number of options for fending off attacks. The most effective countermeasure is locking down .lnk functions by blocking or restricting the usage of .lnk files from untrusted origins. This can be done by setting the Windows Explorer to disable the automatic resolution of such files. The severity rating for CVE-2025-9491 is 7 out of 10.

The other Windows vulnerability was patched last week, when Microsoft issued an unscheduled update. CVE-2025-59287 carries a severity rating of 9.8. It resides in the Windows Server Update Services, which administrators use to install, patch, or delete apps on vast fleets of servers. Microsoft previously attempted to patch the potentially wormable remote code execution vulnerability, caused by a serialization flaw, a week earlier in its October Patch Tuesday release. Publicly released proof-of-concept code quickly proved that the attempted fix was incomplete

Around the same time that Microsoft released its second fix, security firm Huntress said it had observed the WSUS flaw being exploited starting on October 23. Security firm Eye reported the same finding shortly after.

Security firm Sophos said Wednesday that it has also observed CVE-2025-59287 being exploited “in multiple customer environments” since October 24.

“The wave of activity, which spanned several hours and targeted internet-facing WSUS servers, impacted customers across a range of industries and did not appear to be targeted attacks,” Sophos said. “It is unclear if the threat actors behind this activity leveraged the public PoC or developed their own exploit.”

Administrators should investigate immediately if their devices are vulnerable to either of the ongoing attacks. There’s no indication when Microsoft will release a patch for CVE-2025-9491.

Source

Released on GitHub by researcher 0xMatheuZ, the rootkit employs advanced obfuscation techniques to evade YARA-based detection and behavioral monitoring.

While presented strictly for educational purposes, Singularity underscores the evolving challenges in kernel-level threat detection, potentially informing both attackers and defenders in the cybersecurity arms race.

Elastic Security, integrated with Elastic Defend, typically triggers over two dozen alerts during rootkit scans, including file quarantines and process terminations.

Singularity counters this by fragmenting its code, randomizing identifiers, and staging payloads in memory, achieving full evasion during testing.

Core capabilities include hiding processes from /proc, concealing files and directories with patterns like “singularity” or “matheuz,” masking TCP connections on port 8081, and enabling privilege escalation via custom signals or environment variables.

It also features an ICMP-based backdoor for reverse shells triggered by specific packet sequences, alongside anti-analysis measures that block tracing and sanitize logs.

Singularity Linux Rootkit Evades Elastic EDR

At the heart of Singularity’s success lies a multi-layered approach to static analysis evasion. Traditional rootkits falter on predictable strings and symbols that YARA rules target, such as “kallsyms_lookup_name” paired with “license=GPL” or hooks like “hook_getdents.”

Singularity tool

The rootkit’s Python-based obfuscator fragments these at compile-time, splitting strings into adjacent literals that the C compiler reassembles—e.g., transforming MODULE_LICENSE(“GPL”) into MODULE_LICENSE(“G” “P” “L”).

This ensures functionality while rendering the binary’s strings non-contiguous for scanners, as verified by tools like strings and objdump showing no direct matches.

Symbol name randomization takes it further, replacing suspicious prefixes (“hook_,” “fake_”) with innocuous, kernel-mimicking names like “sys_abjker_handler” or “kern_wopqls_helper.”

A whitelist protects essential kernel APIs, and regex patterns extract functions for consistent renaming, sorted by length to avoid partial substitutions, MatheuZ said.

Ftrace hooking functions, another common giveaway, receive similar treatment, renaming “fh_install_hook” to evade rules detecting two or more such patterns. These techniques collectively dismantle the 57 function-name signatures in Elastic’s generic rootkit rules.

Beyond static tricks, Singularity fragments its compiled .ko file into 64KB XOR-encoded chunks using a random 16-byte key, stored alongside metadata for reconstruction.

A custom loader, compiled statically, reassembles these in memory via memfd_create, an anonymous file descriptor that avoids disk artifacts.

It employs direct syscalls (both 64-bit and legacy 32-bit via int $0x80) to invoke finit_module, sidestepping hooked libc functions. This memory-only loading resists on-disk scanning, with fragments deletable post-execution.

Behavioral detection proves trickier, especially for the ICMP-triggered reverse shell. Elastic flags patterns like setsid with /dev/tcp/ in command lines or shell executions from kernel workers.

Singularity counters by writing a staged bash script to /singularity, hiding the spawning kworker PID immediately, then executing a clean /bin/bash /singularity.

The script opens a TCP descriptor, spawns sh in the background, and uses kill -59 on precise PIDs for targeted hiding and escalation, bypassing command-line scrutiny without affecting legitimate processes.

Evades security Detection

Bonus evasions include compiling loaders in /tmp instead of monitored /dev/shm and automating the obfuscation pipeline for reproducibility. In tests, Singularity loaded undetected, hid processes, and established root shells, proving its mettle against current Elastic rules.

This work highlights the fragility of signature-based defenses against adaptive threats. As EDRs evolve, such research pushes for holistic detection blending machine learning and anomaly analysis. For defenders, it signals the need for deeper kernel integrity checks; for researchers, it’s a blueprint for resilience.

Source

While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014.

Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices.

As Immersive Labs explains, potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft.

In late March 2024, a security researcher using the 'Notselwyn' alias published a detailed write-up and proof-of-concept (PoC) exploit code targeting CVE-2024-1086 on GitHub, showcasing how to achieve local privilege escalation on Linux kernel versions between 5.14 and 6.6.

The flaw impacts many major Linux distributions, including but not limited to Debian, Ubuntu, Fedora, and Red Hat, which use kernel versions from 3.15 to 6.8-rc1

Flagged as exploited in ransomware attacks

In a Thursday update to its catalog of vulnerabilities exploited in the wild, the U.S. cybersecurity agency said the flaw is now known to be used in ransomware campaigns, but didn't provide more information regarding ongoing exploitation attempts.

CISA added this security flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and ordered federal agencies to secure their systems by June 20, 2024.

If patching is not possible, IT admins are advised to apply one of the following mitigations:

1.     Blocklist 'nf_tables' if it's not needed/actively used,
2.     Restrict access to user namespaces to limit the attack surface,
3.     Load the Linux Kernel Runtime Guard (LKRG) module (however, this can cause system instability).

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said. "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable."

Source

Microsoft, really, really, really wants you to log in with a full, connected Microsoft account for Windows 11. It’s essential for tracking user data, feeding people ads, and generally making your PC experience much more frustrating (though it also enables ease-of-life features like OneDrive and account syncing between PCs). Users have been finding ways around this requirement for a while, and sharing their results. This is apparently a “harmful or dangerous” act, according to YouTube.

That’s the inescapable conclusion one must draw from the fact that YouTube creator CyberCPU Tech has reportedly had a video on this topic removed from the platform, and all appeals to YouTube and Google have been denied, according to the creator. The same thing happened a week later for a guide on how to install Windows 11 25H2 on older, unsupported hardware, as reported by Tom’s Hardware. Both videos were flagged by YouTube’s automated system as a violation of its “Harmful or dangerous content policy.” Again, when the creator asked for a manual review, the appeal was denied.

YouTube’s policy outlaws obvious things like “instructional theft” (piracy, defeating retail store theft prevention, etc), “hacking” with the intent to steal information, bypassing payment systems, and phishing. I haven’t seen the videos, of course — they’re gone. But as far as I can tell, none of CyberCPU’s instructions would have included any of this, assuming it was just telling people how to install Windows 11 on older hardware or install it without a connected user account, something Windows has been able to do for decades.

According to the policy, a channel that gets three such strikes in a 90-day period can be terminated permanently. CyberCPU says that only one strike was applied to the channel, with the second video included in the original warning.

The CyberCPU Tech channel is five years old and has 300,000 subscribers, which is considered mid-range for the platform, but many creators make a living from channels that size. After taking a class provided by YouTube, the channel will be in good standing with the platform by January 2026, and the creator has applied to get a personal representative assigned from YouTube.

In a follow-up video posted two days ago, CyberCPU Tech claims that the second appeal was denied in less than a minute. Other YouTube creators that have covered similar Windows topics have also had their videos removed, according to yet another video from the channel. While they didn’t initially believe that Microsoft had anything to do with the takedowns, instead blaming YouTube’s “AI-enhanced” and notoriously unreliable automated system, they now think otherwise. “In fact, I believe they [Microsoft] are entirely responsible for this.”

After outlining alternative video options, the creator said, “Are we not allowed to make videos about installing Windows on unsupported hardware because of some backroom deal with Microsoft? If that’s the case, then Microsoft’s own website shows how to do it. But fine, we won’t make those videos anymore, we just need to know the rules and make them clear.”

No evidence for direct Microsoft involvement was offered, though YouTube’s labyrinthian processes for creators aren’t helping to assuage those fears. Copyright strikes, a separate but easily exploitable system, are often used by IP owners to shut down unfavorable YouTube videos even when they clearly fall under fair use. YouTube channel operators have to navigate an inscrutable system that offers little to no guidance on what specific part of a video constitutes a violation, whether actions were taken automatically or due to reports from viewers or third parties, and how they might avoid getting strikes in the future.

CyberCPU Tech intends to continue making videos on similar Windows topics, though they may be posted elsewhere. The creator mentioned X/Twitter, Floatplane, a tech-focused platform owned and operated by Linus Media Group (owner of Linus Tech Tips), and Rumble, an alternative video site made for right-wing influencers. Rumble provides hosting for U.S. President Trump’s personal social network Truth Social, and is popular with influencers who have been banned from more mainstream platforms, like game streamer “Dr Disrespect” and alleged human trafficker Andrew Tate.

The creator said that Rumble is not a realistic option for tech creators who want to move off YouTube. “…After two years and hundreds of videos, I’ve made a total of 43 cents.” Non-political content on YouTube alternatives struggles to maintain viewers (though more generalized competitors like TikTok and Instagram Reels are faring better). “But as long as people continue to upload to YouTube,” says CyberCPU, “YouTube will still be able to abuse their creators, because they have no incentive not to.”

Whether automated or guided by human hands, YouTube’s policies continue to frustrate many of the creators who make the platform successful. Regular viewers are also becoming tired of the site’s many problems, including rising prices for ad-free viewing and a massive influx of AI slop, much of which is provided by YouTube itself. Even as the platform gets measurably worse in many different ways and faces increasing competition from services like TikTok, it remains the de facto home of user-uploaded video on the web. 

Source

The packages were uploaded to npm on July 4, and remained undetected for a long period due to multiple layers of obfuscation that helped escape standard static analysis mechanisms.

According to researchers at cybersecurity company Socket, the ten packages counted nearly 10,000 downloads and stole credentials from system keyrings, browsers, and authentication services.

At the time of writing, the packages are still available, despite Socket reporting them to npm:

1. typescriptjs
2. deezcord.js
3. dizcordjs
4. dezcord.js
5. etherdjs
6. ethesjs
7. ethetsjs
8. nodemonjs
9. react-router-dom.js
10. zustand.js

Socket researchers say that the packages use a fake CAPTCHA challenge to appear legitimate and download a 24MB infostealer packaged with PyInstaller.

To lure users, the threat actor used typosquatting, a tactic that leverages misspellings or variations of the legitimate names for TypeScript (typed superset of JavaScript), discord.js (Discord bot library), ethers.js (Ethereum JS library), nodemon (auto-restarts Node apps), react-router-dom (React browser router), and zustand (minimal React state manager).

When searching for the legitimate packages on the npm platform, developers may mistype the name of the legitimate package or pick a malicious one listed in the results.

Upon installation, a ‘postinstall’ script is triggered automatically to spawn a new terminal that matches the host’s detected OS. The script executes ‘app.js’ outside the visible install log and clears the window immediately to evade detection.

The ‘app.js’ file is the malware loader which employs four obfuscation layers: self-decoding eval wrapper, XOR decryption with dynamically generated key, URL-encoded payload, and heavy control-flow obfuscation.

The script displays a fake CAPTCHA in the terminal using ASCII to give false legitimacy to the installation process.

Next, it sends the victim's geolocation and system fingerprint information to the attacker's command and control (C2) server. Having acquired this information, the malware downloads and automatically launches a platform-specific binary from an external source, which is a 24 MB PyInstaller-packaged executable.

The information stealer targets system keyrings such as Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, and KWallet, as well as data stored in Chromium-based and Firefox browsers, including profiles, saved passwords, and session cookies.

Moreover, it seeks SSH keys in common directories, and also attempts to locate and steal OAuth, JWT, and other API tokens.

The stolen information is packaged into compressed archives and exfiltrated to the attacker’s server at 195[.]133[.]79[.]43, following a temporary staging step in /var/tmp or /usr/tmp.

Developers who downloaded any of the listed packages are recommended to clean up the infection and rotate all access tokens and passwords, as there is a good chance that they are compromised.

When sourcing packages from npm or other open-source indexes, it is advisable to double-check for typos and ensure that everything comes from reputable publishers and official repositories.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 30 October 2025 at 12:11 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Google Chrome also has an opt-in HTTPS-First Mode since 2021, which added the "Always Use Secure Connections" setting and attempts to connect to websites over HTTPS (HyperText Transfer Protocol Secure), displaying a bypassable warning if HTTPS is unavailable.

However, Google will now enable this option by default to ensure that users visit websites only via HTTPS and are always protected from man-in-the-middle (MITM) attacks that try to snoop on or alter data exchanged with Internet servers over the unencrypted HTTP protocol.

"One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable 'Always Use Secure Connections.' This means Chrome will ask for the user's permission before the first access to any public site without HTTPS," the company said.

"When links don't use HTTPS, an attacker can hijack the navigation and force Chrome users to load arbitrary, attacker-controlled resources, and expose the user to malware, targeted exploitation, or social engineering attacks."

As Google further explained, across all variants of the "Always Use Secure Connections" settings (targeting private or public websites), Chrome will not repeatedly warn the user about that site as long as the user regularly visits an insecure site. This means that rather than warn users about 1 out of 50 navigations, Chrome will only warn users when they open a new (or rarely visited) site that doesn't use HTTPS.

Additionally, users will have the option to enable insecure connection alerts for public sites only or for both public and private sites (including enterprise intranets).

It's important to note that while private sites can still be risky, they are generally considered less dangerous than public sites because there are fewer opportunities for attackers to exploit them, and HTTP can only be misused by attackers within a more limited context, such as a local network like your home Wi-Fi or within a corporate environment.

However, even with both types of warnings toggled on, users shouldn't be bombarded with notifications, seeing that around 95-99% of all websites have adopted HTTPS, a massive increase from 2015's adoption rate of roughly 30-45%.

Before enabling it by default for all users, Chrome will enable "Always Use Secure Connections" for public sites for over 1 billion users using Enhanced Safe Browsing protections in April 2026, when Chrome 147 will be released.

"While it is our hope and expectation that this transition will be relatively painless for most users, users will still be able to disable the warnings by disabling the 'Always Use Secure Connections' setting," Google added.

"If you are a website developer or IT professional, and you have users who may be impacted by this feature, we very strongly recommend enabling the 'Always Use Secure Connections' setting today to help identify sites that you may need to work to migrate."

In October 2023, Google Chrome added an HTTPS-Upgrades feature that automatically upgrades in-page HTTP links to secure connections for all users, while ensuring a quick fallback to HTTP if needed.

Earlier this month, Google also updated its web browser again to automatically revoke notification permissions for sites that haven't been visited recently, to reduce alert overload.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 29 October 2025 at 3:49 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

This claim began over the weekend and into today, with news stories claiming that millions of Gmail accounts were breached, with some outlets saying it affected the full 183 million accounts.

However, as the company explained in a series of posts on Monday, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years.

"Reports of a 'Gmail security breach impacting millions of users' are false. Gmail's defenses are strong, and users remain protected," reads a post on X.

"The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It's not reflective of a new attack aimed at any one person, tool, or platform."

"Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false," Google added.

This is just the latest such story that numerous news websites and cybersecurity companies have reported without verification in recent years.

This particular story stems from Have I Been Pwned (HIBP) creator Troy Hunt announcing he recently added a massive collection of 183 million compromised credentials to the data breach notification platform shared by the threat intelligence platform Synthient.

These credentials were not stolen in a single data breach, but rather through information-stealing malware, data breaches, credential stuffing, and phishing. Furthermore, these accounts are not for a single platform but for thousands, if not millions, of sites.

Threat actors commonly collect exposed credentials and combine them into massive collections, which are then shared among the cybercrime community on Telegram channels, Discord servers, and hacking forums.

After loading the data into HIBP, Hunt says 91% of the 183 million credentials had previously been seen, illustrating that many of them have been circulating for years.

"The final number once the entire data set was loaded into HIBP was 91% pre-existing, with 16.4M previously unseen addresses in any data breach, not just stealer logs," explained Hunt.

Companies, including Google, commonly use collections like these to warn customers of exposed passwords and to force password resets to protect accounts.

"Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts," explained Google.

While the claims of a Gmail data breach are false, that does not mean exposed credentials are harmless or should be ignored, as threat actors commonly use them to breach corporate networks and carry out devastating attacks.

For example, the UnitedHealth Change Healthcare ransomware attack was caused by exposed Citrix credentials that enabled threat actors to gain initial network access.

However, reports of unfounded data breaches do not help anyone and only cause undue stress and extra work for a platform's users and business customers.

Just last month, Google had to state that it did not suffer a data breach after the same news sites claimed that 2.5 billion Gmail accounts had been compromised.

While that claim stemmed from a Salesloft breach that impacted a small number of Google Workspace accounts, the story was quickly sensationalized into a much larger breach.

If you are concerned that your credentials may have been part of the Synthient collection, you can register an account at Have I Been Pwned, open the dashboard, and click Stealer Logs to see if your account was compromised in the past by information-stealing malware.

If you have accounts listed, perform an antivirus scan on your computer, then immediately change the passwords for all of your accounts.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 28 October 2025 at 12:57 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

With some exceptions, the decline in payment resolution rates continues the trend that Coveware has observed for the past six years.

In the first quarter of 2024, the payment percentage was 28%. Although it increased over the next period, it continued to drop, reaching an all-time low in the third quarter of 2025.

One explanation for this is that organizations implemented stronger and more targeted protections against ransomware, and authorities increasing pressure for victims not to pay the hackers.

“Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress,” Coveware says.

“The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion — each avoided payment constricts cyber attackers of oxygen.”

Over the years, ransomware groups moved from pure encryption attacks to double extortion that came with data theft and the threat of a public leak.

Coveware reports that more than 76% of the attacks it observed in Q3 2025 involved data exfiltration, which is now the primary objective for most ransomware groups.

The company says that when it isolates the attacks that do not encrypt the data and only steal it, the payment rate plummets to 19%, which is also a record for that sub-category.

The average and median ransomware payments fell in Q3 compared to the previous quarter, reaching $377,000 and $140,000, respectively, according to Coveware.

The shift may reflect large enterprises revising their ransom payment policies and recognizing that those funds are better spent on strengthening defenses against future attacks.

The researchers also note that threat groups like Akira and Qilin, which accounted for 44% of all recorded attacks in Q3 2025, have switched focus to medium-sized firms that are currently more likely to pay a ransom.

Another notable trend over the past year is the rise of remote access compromise as the leading attack vector, alongside a significant increase in the use of software vulnerabilities.

Coveware believes that diminishing profits are driving ransomware gangs to greater precision and that larger enterprises will be increasingly targeted as profit margins continue to shrink.

As larger organizations have strengthened their security posture, threat actors are likely to rely more on social engineering and insider recruitment, offering large bribes for help gaining initial access.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 28 October 2025 at 12:54 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

“Opening locks” might not sound like scintillating social media content, but Trevor McNally has turned lock-busting into online gold. A former US Marine Staff Sergeant, McNally today has more than 7 million followers and has amassed more than 2 billion views just by showing how easy it is to open many common locks by slapping, picking, or shimming them.

This does not always endear him to the companies that make the locks.

On March 3, 2025, a Florida lock company called Proven Industries released a social media promo video just begging for the McNally treatment. The video was called, somewhat improbably, “YOU GUYS KEEP SAYING YOU CAN EASILY BREAK OFF OUR LATCH PIN LOCK.” In it, an enthusiastic man in a ball cap says he will “prove a lot of you haters wrong.” He then goes hard at Proven’s $130 model 651 trailer hitch lock with a sledgehammer, bolt cutters, and a crowbar.

Naturally, the lock hangs tough.

An Instagram user brought the lock to McNally’s attention by commenting, “Let’s introduce it to the @mcnallyofficial poke.” Someone from Proven responded, saying that McNally only likes “the cheap locks lol because they are easy and fast.” Proven locks were said to be made of sterner stuff.

But on April 3, McNally posted a saucy little video to social media platforms. In it, he watches the Proven promo video while swinging his legs and drinking a Juicy Juice. He then hops down from his seat, goes over to a Proven trailer hitch lock, and opens it in a matter of seconds using nothing but a shim cut from a can of Liquid Death. He says nothing during the entire video, which has been viewed nearly 10 million times on YouTube alone.

Despite practically begging people to attempt this, Proven Industries owner Ron Lee contacted McNally on Instagram. “Just wanted to say thanks and be prepared!” he wrote. McNally took this as a threat.

(Oddly enough, Proven’s own homepage features a video in which the company trashes competing locks and shows just how easy it is to defeat them. And its news pages contain articles and videos on “The Hidden Flaws of Master Locks” and other brands. Why it got so upset about McNally’s video is unclear.)

The next day, Lee texted McNally’s wife. The message itself was apparently Lee’s attempt to de-escalate things; he says he thought the number belonged to McNally, and the message itself was unobjectionable. But after the “be prepared!” notice of the day before, and given the fact that Lee already knew how to contact him on Instagram, McNally saw the text as a way “to intimidate me and my family.” That feeling was cemented when McNally found out that Lee was a triple felon—and that in one case, Lee had hired someone “to throw a brick through the window of his ex-wife.”

Concerned about losing business, Lee kept trying to shut McNally down. Proven posted a “response video” on April 6 and engaged with numerous social media commenters, telling them that things were “going to get really personal” for McNally. Proven employees alleged publicly that McNally was deceiving people about all the prep work he had done to make a “perfectly cut out” shim. Without extensive experience, long prep work, and precise measurements, it was said, Proven’s locks were in little danger of being opened by rogue actors trying to steal your RV.

“Sucks to see how many people take everything they see online for face value,” one Proven employee wrote. “Sounds like a bunch of liberals lol.”

Proven also had its lawyers file “multiple” DMCA takedown notices against the McNally video, claiming that its use of Proven’s promo video was copyright infringement.

McNally didn’t bow to the pressure, though, instead uploading several more videos showing him opening Proven locks. In one of them, he takes aim at Proven’s claims about his prep work by retrieving a new lock from an Amazon delivery kiosk, taking it outside—and popping it in seconds using a shim he cuts right on camera, with no measurements, from an aluminum can.

On May 1, Proven filed a federal lawsuit against McNally in the Middle District of Florida, charging him with a huge array of offenses: (1) copyright infringement, (2) defamation by implication, (3) false advertising, (4) violating the Florida Deceptive and Unfair Trade Practices Act, (5) tortious interference with business relationships, (6) unjust enrichment, (7) civil conspiracy, and (8) trade libel. Remarkably, the claims stemmed from a video that all sides admit was accurate and in which McNally himself said nothing.

Don’t mock me, bro

How can you defame someone without even speaking? Proven claimed “defamation by implication,” arguing that the whole setup of McNally’s videos was unfair to the company and its product. McNally does not show his prep work, which (Proven argued) conveys to the public the false idea that Proven’s locks are easy to bypass. While the shimming does work, Proven argued that it would be difficult for an untrained user to perform.

But what Proven really, really didn’t like was being mocked. McNally’s decision to drink—and shake!—a juice box on video comes up in court papers a mind-boggling number of times. Here’s a sample:

McNally appears swinging his legs and sipping from an apple juice box, conveying to the purchasing public that bypassing Plaintiff’s lock is simple, trivial, and even comical…

 

…showing McNally drinking from, and shaking, a juice box, all while swinging his legs, and displaying the Proven Video on a mobile device…

 

The tone, posture, and use of the juice box prop and childish leg swinging that McNally orchestrated in the McNally Video was intentional to diminish the perceived seriousness of Proven Industries…

 

The use of juvenile imagery, such as sipping from a juice box while casually applying the shim, reinforces the misleading impression that the lock is inherently insecure and marketed deceptively…

 

The video then abruptly shifts to Defendant in a childlike persona, sipping from a juice box and casually applying a shim to the lock…

In the end, Proven argued that the McNally video was “for commercial entertainment and mockery,” produced for the purpose of “humiliating Plaintiff.” McNally, it was said, “will not stop until he destroys Proven’s reputation.” Justice was needed. Expensive, litigious justice.

But the proverbially level-headed horde of Internet users does not always love it when companies file thermonuclear lawsuits against critics. Sometimes, in fact, the level-headed horde disregards everything taught by that fount of judicial knowledge, The People’s Court, and they take the law into their own hands.

Proven was soon the target of McNally fans. The company says it was “forced to disable comments on posts and product videos due to an influx of mocking and misleading replies furthering the false narrative that McNally conveyed to the viewers.” The company’s customer service department received such an “influx of bogus customer service tickets… that it is experiencing difficulty responding to legitimate tickets.”

Someone posted Lee’s personal phone number to the comment section of a McNally video, which soon led to “a continuous stream of harassing phone calls and text messages from unknown numbers at all hours of the day and night,” which included “profanity, threats, and racially charged language.”

Lest this seem like mere high spirits and hijinks, Lee’s partner and his mother both “received harassing messages through Facebook Messenger,” while other messages targeted Lee’s son, saying things like “I would kill your f—ing n—– child” and calling him a “racemixing pussy.”

This is clearly terrible behavior; it also has no obvious connection to McNally, who did not direct or condone the harassment. As for Lee’s phone number, McNally said that he had nothing to do with posting it and wrote that “it is my understanding that the phone number at issue is publicly available on the Better Business Bureau website and can be obtained through a simple Google search.”

And this, with both sides palpably angry at each other, is how things stood on June 13 at 9:09 am, when the case got a hearing in front of the Honorable Mary Scriven, an extremely feisty federal judge in Tampa. Proven had demanded a preliminary injunction that would stop McNally from sharing his videos while the case progressed, but Proven had issues right from the opening gavel:

LAWYER 1: Austin Nowacki on behalf of Proven industries.
THE COURT: I’m sorry. What is your name?
LAWYER 1: Austin Nowacki.
THE COURT: I thought you said Austin No Idea.
LAWYER 2: That’s Austin Nowacki.
THE COURT: All right.

When Proven’s lead lawyer introduced a colleague who would lead that morning’s arguments, the judge snapped, “Okay. Then you have a seat and let her speak.”

Things went on this way for some time, as the judge wondered, “Did the plaintiff bring a lock and a beer can?” (The plaintiff did not.) She appeared to be quite disappointed when it was clear there would be no live shimming demonstration in the courtroom.

Then it was on to the actual arguments. Proven argued that the 15 seconds of its 90-second promo video used by McNally were not fair use, that McNally had defamed the company by implication, and that shimming its locks was actually quite difficult. Under questioning, however, one of Proven’s employees admitted that he had been able to duplicate McNally’s technique, leading to the question from McNally’s lawyer: “When you did it yourself, did it occur to you for one moment that maybe the best thing to do, instead of file a lawsuit, was to fix [the lock]?”

At the end of several hours of wrangling, the judge stepped in, saying that she “declines to grant the preliminary injunction motion.” For her to do so, Proven would have to show that it was likely to win at trial, among other things; it had not.

As for the big copyright infringement claim, of which Proven had made so much hay, the judge reached a pretty obvious finding: You’re allowed to quote snippets of copyrighted videos in order to critique them.

“The purpose and character of the use to which Mr. McNally put the alleged infringed work is transformative, artistic, and a critique,” said the judge. “He is in his own way challenging and critiquing Proven’s video by the use of his own video.”

As for the amount used, it was “substantial enough but no more than is necessary to make the point that he is trying to critique Proven’s video, and I think that’s fair game and a nominative fair use circumstance.”

While Proven might convince her otherwise after a full trial, “the copyright claim fails as a basis for a demand for preliminary injunctive relief.”

As for “tortious interference” and “defamation by implication,” the judge was similarly unimpressed.

“The fact that you might have a repeat customer who is dissuaded to buy your product due to a criticism of the product is not the type of business relationship the tortious interference with business relationship concept is intended to apply,” she said.

In the end, the judge said she would see the case through to its end, if that was really what everyone wanted, but “I will pray that you all come to a resolution of the case that doesn’t require all of this. This is a capitalist market and people say what they say. As long as it’s not false, they say what they say.”

She gave Proven until July 7 to amend its complaint if it wished.

On July 7, the company dismissed the lawsuit against McNally instead.

Proven also made a highly unusual request: Would the judge please seal almost the entire court record—including the request to seal?

Court records are presumptively public, but Proven complained about a “pattern of intimidation and harassment by individuals influenced by Defendant McNally’s content.” According to the company, a key witness had already backed out of the case, saying, “Is there a way to leave my name and my companies name out of this due to concerns of potential BLOW BACK from McNally or others like him?” Another witness, who did submit a declaration, wondered, “Is this going to be public? My concern is that there may be some backlash from the other side towards my company.”

McNally’s lawyer laid into this seal request, pointing out that the company had shown no concern over these issues until it lost its bid for a preliminary injunction. Indeed, “Proven boasted to its social media followers about how it sued McNally and about how confident it was that it would prevail. Proven even encouraged people to search for the lawsuit.” Now, however, the company “suddenly discover[ed] a need for secrecy.”

The judge has not yet ruled on the request to seal.

Another way

The strange thing about the whole situation is that Proven actually knew how to respond constructively to the first McNally video. Its own response video opened with a bit of humor (the presenter drinks a can of Liquid Death), acknowledged the issue (“we’ve had a little bit of controversy in the last couple days”), and made clear that Proven could handle criticism (“we aren’t afraid of a little bit of feedback”).

The video went on to show how their locks work and provided some context on shimming attacks and their likelihood of real-world use. It ended by showing how users concerned about shimming attacks could choose more expensive but more secure lock cores that should resist the technique.

Quick, professional, non-defensive—a great way to handle controversy.

But it was all blown apart by the company’s angry social media statements, which were unprofessional and defensive, and the litigation, which was spectacularly ill-conceived as a matter of both law and policy. In the end, the case became a classic example of the Streisand Effect, in which the attempt to censor information can instead call attention to it.

Judging from the number of times the lawsuit talks about 1) ridicule and 2) harassment, it seems like the case quickly became a personal one for Proven’s owner and employees, who felt either mocked or threatened. That’s understandable, but being mocked is not illegal and should never have led to a lawsuit or a copyright claim. As for online harassment, it remains a serious and unresolved issue, but launching a personal vendetta—and on pretty flimsy legal grounds—against McNally himself was patently unwise. (Doubly so given that McNally had a huge following and had already responded to DMCA takedowns by creating further videos on the subject; this wasn’t someone who would simply be intimidated by a lawsuit.)

In the end, Proven’s lawsuit likely cost the company serious time and cash—and generated little but bad publicity.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 28 October 2025 at 3:38 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

 ZDNET's key takeaways

•     Two new Have I Been Pwned datasets added with millions of accounts.
•     Emails and passwords exposed in recent data breaches.
•     Check if your info was leaked and learn what to do next.

Cybersecurity expert Troy Hunt has added two new sets of compromised account records to the Have I Been Pwned database, including a massive dataset of 183 million accounts.

What is Have I Been Pwned?

Have I Been Pwned (HIBP) is a data breach "search engine" that allows anyone to submit their email address to see if any links to a data breach are publicly known.

HIBP is a free service that can give you an overview of whether or not it is likely your online accounts have been "pwned," or compromised, in a data breach. Once you've submitted your email address for review, you are told how many data breaches, if any, your information has been leaked in. A timeline will show when the data breach occurred, along with a useful summary of the stolen or dumped data.

You can also use the HIBP side service, Pwned Passwords, to see if a password you commonly use is linked to exposed datasets.

You can't use the service to view stolen or leaked data. Instead, HIBP gives you an overview of compromised data. At the time of writing, 917 breaches have been added to the service, which now brings its count to 15.32 billion accounts.

What information is included in these datasets?

According to the Have I Been Pwned updates, the first set includes 183 million records. Data was uploaded to HIBP on Oct. 21 with the assistance of Synthient, a threat intelligence service that shared the data with Hunt. In total, 183 million unique email addresses, the websites they were used on, and the passwords they were associated with were included.

The second addition is smaller at 3.9 million accounts. Added to HIBP on Oct. 27, this data breach relates to MyVidster, a video-sharing website that closed earlier this year and was reportedly used to bookmark and share pornography. Email addresses, usernames, and profile pictures were leaked on a public hacking forum.

Why does this dataset matter?

Synthient's contribution to HIBP is particularly interesting considering its sources. The data was aggregated while researcher Benjamin Brundage was exploring the stealer log ecosystem, in which website addresses, email addresses, and passwords are captured by information-stealing malware loaded onto victim devices.

After crawling sources including Telegram, social media websites, and forums, 3.5TB of information was collected -- or 23 billion rows of data.

It's often the case that these types of logs are reposted and recycled, and so Hunt worked with the researcher to check if any of the logs were already loaded into HIBP. In total, 92% of the dataset was preexisting, but this still left 183 million unique email addresses and 16.4 million previously unseen email addresses across both HIBP and infostealer logs. This highlights that just because data has been dumped online, it doesn't mean that it does not contain valid credentials that risk our online accounts.

Credential-stuffing lists were also in the Synthient dataset, which could be used in automated attacks against organizations. This dataset will be added in the near future once its accuracy is established.

"The truth is that, unlike a single data breach such as Ashley Madison, Dropbox, or the many other hundreds already in HIBP, stealer logs are more of a firehose of data that's just constantly spewing personal info all over the place," Hunt noted. "The data itself is still on point, but I'd like to see HIBP better reflect that firehose analogy and provide a constant stream of new data. Until then, Synthient's Threat Data will still sit in HIBP and be searchable in all the usual ways."

How do I know if I am involved in this collection?

The first step to take is to visit Have I Been Pwned and submit your email address. You will then be able to see what data breaches you are connected to, including Synthient's dataset.

If you find that your email address has been exposed, ensure you immediately change any password associated with it. You might also want to reduce your risk by deleting any online accounts you no longer use.

This latest update also brings home the lesson that you shouldn't reuse passwords across your online services. Of course, it is difficult to remember unique, complex passwords, but that's where a password manager can help you out. 

Source

Earlier this year, I reported on a data leak that included a whopping 184,162,718 passwords and logins impacting the likes of Apple, Facebook and Instagram users. That data leak was disclosed on May 22, and now, in a rather spooky seeming coincidence, news of 183 million passwords and login credentials from an April 2025 breach has emerged. Adding the details of website URLs, email addresses and passwords to the Have I Been Pwned database, owner Troy Hunt said the data consisted of both “stealer logs and credential stuffing lists” including confirmed Gmail login credentials. Here’s what we know and what you need to do.

What We Know About The 183 Million Passwords Data Leak

Have I Been Pwned is something a staple resource for anyone who is genuinely concerned about their account login security. Why so? Because it’s the go-to for discovering when any of your email addresses, accounts, or passwords are found in data leaks, dark web password breach lists, and the like. Best of all, it’s entirely free to use. When a new entry appears with the number of affected accounts being 183 million, and the compromised data listed as email addresses and passwords, more than a few heads will pop up above the parapets and pay attention. Mine certainly did following the October 21 addition.

Having done some digging for further information, I was drawn to a lengthy analysis by Hunt himself, which looked inside the Synthient threat data provided to HIBP. Benjamin Brundage from Synthient revealed in a blog posting that the data came from the results of monitoring infostealer platforms across the course of close to a year. 

The total amount of information sent to HIBP comprised 3.5 terabytes of data, 23 billion rows of it in all. The output of the stealer logs concerned, Hunt said, consisted primarily of three things: website address, email address and password. “Someone logging into Gmail,” Hunt wrote, “ends up with their email address and password captured against gmail.com, hence the three parts.” Of course, there’s a lot of recycling of credentials that goes on in the cybercriminal world, so Hunt initially wanted to check the freshness of the database he had in his hands.

An analysis of a 94k sample revealed 92% were not, in fact, new. “Most of what has been seen before was in the ALIEN TXTBASE stealer logs,” Hunt confirmed. However, the math wizards out there will have noted that this steal leaves 8% that is new and fresh, or more than 14 million credentials if you extrapolate it. Actually, the final tally was 16.4 million previously unseen addresses in any data breach, not just stealer logs.

HIBP also checks to see if the credentials are genuine by sending out some of the details to people on the subscriber base who are impacted. “One of the respondents was already concerned there could be something wrong with his Gmail account,” Hunt said, and that person was able to validate that the entry was “an accurate password on my Gmail account.”

Check If Your Gmail Passwords Are Impacted Now

Of course, it is not just Gmail users who will be impacted by this leak, so I would advise everyone to go and check at HIBP to see if their account credentials might be included.

I reached out to my contacts at Google for a statement, and a spokesperson told me: “This report covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords."

Google also advised Gmail users that if they have any reason to believe that their account has been hacked, they should immediately sign in and review the account activity. If you can’t sign in, Google said, then head for the account recovery page and answer the questions that are presented to the best of your ability.

“Additionally, to help users, we have a process for resetting passwords when we come across large credential dumps such as this,” Google said.

You can check if your Gmail password is exposed, weak or used in for multiple account logins if you are a user of the Chrome password manager by using the Google password checkup feature. On a computer, this is accessible from Chrome by selecting Passwords and autofill from the top right menu, and then Google Password Manager|Checkup. 

This will reveal if you are using any passwords that are known to be compromised, as will most other password manager applications, as well as using the Have I Been Pwned? database check, as mentioned earlier, along with giving an indication of any weak passwords you may have in active use. “We’ll ask you to change your Google Account password if it might be unsafe, even if you don’t use Password Checkup,” Google said. And then, of course, there are those passwoirds that you reuse across multiple accounts and services, which Google will also inform you of. Talking of which, please do not do that, as it is a recipe for disaster, as this kind of password leak demonstrates all too well for Gmail users and everyone else, for that matter. As Google says, in a clear case of necessarily stating the obvious: "We recommend that you change any compromised passwords as soon as you can"

Source

A post on the ResetEra forum has a user complaining about Gaming Copilot sending screenshots of their gameplay to Microsoft (spotted by analyzing network activity) without consent. There is also a screenshot of privacy settings turned on to allow Microsoft to use data to train its models, which, allegedly, were enabled, again, without consent. Naturally, the post sparked outrage in replies, and Microsoft now has an answer to that. A Microsoft spokesperson said the following:

When you’re actively using Gaming Copilot in Game Bar, it can use screenshots of your gameplay to get a better understanding of what’s happening in your game and provide you with more helpful responses. These screenshots are not used to train AI models, and Gaming Copilot is an optional feature that only has access to gameplay when you’re playing a game and actively using it.

 

Separately, Gaming Copilot may use its text or voice conversations with players to help train and improve AI. Players can adjust Gaming Copilot’s privacy settings by visiting ‘Settings’ in [the] Game Bar, followed by ‘Privacy Settings.

In other words, Microsoft is not using screenshots of your gameplay to train AI. However, it still takes screenshots so that Copilot can understand what is going on. It is possible to let Microsoft use your conversations with Gaming Copilot to train models, but these features should be manually enabled in Gaming Copilot settings. Neowin checked Gaming Copilot on several machines, and all of them had training turned off by default.

Microsoft says that Gaming Copilot only takes screenshots when you are using the feature. Still, many users want to get rid of it, but the unfortunate reality is that the only way to remove Gaming Copilot is to get rid of Game Bar altogether, which, in turn, takes down quite a lot of actually useful features for PC gaming. What is clear is that despite Microsoft's efforts, people do not appear to be very happy with the overwhelming injection of AI into everyday products, particularly when it comes to privacy concerns.

Source: Tom's Hardware

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 26 October 2025 at 4:49 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The devs will be required to disclose any new extension's data practices in the manifest.json file using a dedicated browser_specific_settings.gecko.data_collection_permissions key beginning November 3, 2025. Mozilla will also require all extension developers to adopt this framework in the first half of 2026.

Personally identifiable information that can be obtained through extension APIs or provided by the user includes, but is not limited to, names, email addresses, search terms, and browsing activity data (e.g., domains, URLs, or categories of viewed pages).

Extensions that don't collect any personal data must also explicitly state this to ensure complete transparency for users about the data practices they can expect.

This information will appear during the installation prompt, along with any permissions requested. It will also be displayed on the extension's listing page on addons.mozilla.org and in the Permissions and Data section of Firefox's about:addons management page.

"Developers can specify what data they wish to collect or transmit in their extensions manifest.json file. This information will be parsed by the browser and shown to the user when they first install the extension," Mozilla explains.

"A user can then choose to accept or reject the data collection, just like they do with extension permissions. The developer can also specify that the extension collects no data."

This requirement applies exclusively to newly submitted Firefox extensions. Existing add-ons won't need to comply until they update to use the new framework.

However, extensions that fail to properly declare their data collection practices will be blocked from submission to Mozilla's add-on repository, and their developers will receive explanatory error messages.

Last month, Mozilla also announced that it will allow Firefox extension devs to roll back to previously approved versions to address critical bugs and issues quickly.

In June, it introduced a security feature for its add-on portal designed to block malicious extensions that drain cryptocurrency wallets.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 25 October 2025 at 4:32 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

While that would be fine if the user knew about it and enabled it willingly, it appears to be turned on automatically and without informing users about the data collecting and use of the data.

According to the user who noticed it first by monitoring network traffic, the AI is using OCR technology to identify text in the screenshots. If that reminds you of Microsoft's Recall feature, which it had to pull over similar privacy concerns and redo, you are not mistaken.

Note: Gaming Copilot is a beta feature. It is unclear if the recording happens in all regions or only in some. I checked on a recent Windows 11, version 24H2 system and did not have a Privacy settings section. However, the colleagues over at WCCFTech checked and they had it and confirmed that it was enabled by default.

How to turn this off

If you are a gamer on Windows 11, you may want to check if Gaming Copilot is being trained by monitoring what and how you play.

1. Open the Start menu.
2. Type Game Bar and press the Enter-key. You may also use the shortcut Windows-G to get there directly.
3. Select the Settings gear.
4. Switch to Privacy settings.
5. Toggle "Model training on text" to off.
6. Go back.
7. Open Capture settings.
8. Toggle "Enable screenshots (experimental)".

It is probably a good idea to check if the setting exists, even if you do not play games on the Windows 11 system. Unless you really, really want to help Microsoft train its gaming AI, you might want to turn it off immediately.

The original thread starter posted another screenshot of another setting. Found under Capture settings, the preference "enable screenshots (experimental)" was enabled as well.

Microsoft did not display any onboarding or consent prompts to the user either, reportedly.

We asked Microsoft for comment, but have not heard back yet. We will update the article, if we get feedback from the company.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 25 October 2025 at 4:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

For Meta and TikTok, the Commission said neither had given researchers adequate access to public data; it suggested that platforms may have put in place burdensome procedures and tools for researchers to request data access. Meta was also called out for not giving Facebook and Instagram users a user-friendly and easily accessible mechanism for flagging illegal content. The Commission said that Meta’s reporting process had unnecessary steps, additional demands, and used deceptive interface designs that can make the whole process more ineffective.

As expected, Meta has come out stating that it disagrees with the suggestion that it has breached the DSA. In a statement to Reuters, a Meta spokesperson said:

“We have introduced changes to our content reporting options, appeals process, and data access tools since the DSA came into force and are confident that these solutions match what is required under the law in the EU.”

Meanwhile, TikTok took a less definitive position, stating that it is reviewing the findings. As TikTok was flagged for not making it easy enough for researchers to access public data, it has been argued that easing data safeguards would put the DSA and the GDPR in direct tension and has urged regulators to provide more clarity on reconciling the issue.

The Commission has now given Meta and TikTok the chance to examine the situation and remedy the breaches. However, if the preliminary findings are confirmed, then the Commission could impose a fine of up to 6% of annual global sales.

Source: Reuters

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 25 October 2025 at 4:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

If you’ve been using the internet for more than a month or so, you know that downloading files from unknown sites is a great way to get compromised. But the latest security update to Windows does a little extra to keep you safe. According to Microsoft, those who install the latest security updates will have previews in Explorer automatically disabled for downloaded files.

Why? According to the support page (spotted by Bleeping Computer), it’s because there’s a vulnerability with leaking hash. So thanks to Microsoft, your breakfast griddle will be notably tidier now that…oh, wait, no, it’s “a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags (such as <link>, <src>, and so forth) referencing external paths.” This could allegedly be used to capture “sensitive credentials.”

Mark of the Web metadata indicates that a file was downloaded from the internet, meaning Windows Defender will pay it a little extra attention. If you try to preview a downloaded file immediately, you’ll be met with the following alert message:

The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.

To disable this function after the October 14th, 2025 update, you’ll need to right-click the file, click “Properties,” then “Unblock.” It’ll need to be done for every file, and it might not take until you log into Windows again. 

Source

The feature is currently under development and was spotted by TechRadar in the Microsoft 365 Roadmap. "When users connect to their organization's Wi-Fi, Teams will soon be able to automatically update their work location to reflect the building they're working from," Microsoft says. In other words, if they're not in the office, their managers could easily find out.

The feature should roll out in December on Windows and macOS. It will be disabled by default, but admins "will decide whether to enable it and require end-users to opt-in," Microsoft says. 

The report arrives as more companies are requiring employees to return to the office, either permanently or as part of a hybrid model (home/office). Microsoft itself has requested employees return to the office three days a week, if they live within 50 miles of a company office. 

In July, Teams got Slack-like threaded replies, which reduce clutter and let users keep all messages on one topic in a single thread. Last month, it also added Link Protection and File Protection features to warn users about potential malicious links and files appearing in chats. 

Source

•     Microsoft issues emergency patch for a critical WSUS flaw enabling remote code execution
•     CVE-2025-59287 allows unauthenticated attackers to gain SYSTEM privileges without user interaction
•     An out-of-band update was released after public exploit code surfaced online

Microsoft has issued an emergency Windows server security patch to fix a critical severity flaw apparently abused in the wild.

As part of its most recent Patch Tuesday cumulative update (October 14, 2025), Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in Windows Server Update Service (WSUS).

WSUS allows IT admins to manage patching computers within their network. The flaw was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.

Mitigations and workarounds

Microsoft has now released an out-of-band (OOB) security update, after spotting publicly available proof-of-concept (PoC) code.

Although the Patch Tuesday update already included a fix for CVE-2025-59287, Microsoft issued an out-of-band update to urgently alert administrators and ensure immediate installation after the public exploit became available.

"If you haven't installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead,” Microsoft explained in a security advisory. “After you install the update you will need to reboot your system."

There is also a way to mitigate the risk, Microsoft explained, saying that Windows servers without the WSUS server role enabled are not vulnerable. “If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled," Microsoft explained.

Available workarounds include disabling the WSUS Server Role, or blocking all inbound traffic to ports 8530 and 8531 on the host firewall. In that case, though, Windows endpoints will stop receiving updates.

Microsoft also added WSUS will no longer show synchronization error details after installing the update, since the functionality was temporary in the first place.

Source

The network published more than 3,000 videos across compromised or fake channels, luring viewers with game cheats, cracked software, or pirated tools, but instead delivering malware or phishing pages.

The YouTube Ghost Network

The YouTube Ghost Network is strikingly similar to the Stargazers Ghost Network, a previously uncovered network of fake or hijacked GitHub accounts that served as a malware and phishing link Distribution-as-a-Service.

In the Stargazers Ghost Network, different accounts filled different roles. Some accounts directed targets to malicious downloads, others served malware, and others still starred, forked, and subscribed to malicious repositories, in an obvious attempt to make the other accounts appear legitimate to potential victims.

Similarly, the YouTube Ghost Network consists of video accounts, post accounts, and interact accounts.

Video accounts, which are either hijacked or created by the malware peddlers, upload videos that promise something appealing, e.g., a free/cracked version of Adobe Photoshop, or game hacks for popular games like Roblox. The descriptions contain download links or direct viewers to password-protected archives on services like Dropbox, Google Drive or MediaFire, and they often tell users to temporarily disable Windows Defender before installing the downloaded cracked software.

Post accounts publish community posts with the same links and passwords, and interact accounts flood comment sections with fake endorsements, creating a false sense of trust.

“While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns,” the researchers noted.

“Targeting users through Ghost Networks is analogous to casting nets across the web, users must approach and essentially infect themselves.”

A resilient malware distribution network

The YouTube Ghost Network is designed to keep a low profile and to be resilient.

Most of the accounts are compromised legitimate YouTube channels. Once a channel is banned or flagged, the network simply replaces it, and because the roles are divided across different accounts, the operation remains resilient even when parts are taken down.

“Threat actors regularly updated links and payloads, enabling persistent infection chains even after partial removals,” the researchers noted.

“The technical sophistication of these campaigns is further evidenced by the use of password-protected archives, redundant hosting platforms, and frequent updates to both payloads and command-and-control (C2) infrastructure. These tactics are specifically designed to evade automated detection, reputation-based blocking, and manual review by both platform operators and security vendors.”

Most of the malware distributed through this network are infostealers, most notably the Lumma Stealer and Rhadamanthys.

The network has been active since at least 2021, but in 2025, the number of malicious videos has tripled.

The YouTube Ghost Network has been crippled after the researchers flagged and Google took down over 3,000 malicious videos, but the individuals behind this effort are unlikely to give up easily.

Source

The security flaw tracked under ID CVE-2025-59287 is affecting the Windows Server Update Services (WSUS) though Microsoft does not that servers that do not have the WSUS server role enabled are not vulnerable to this exploit. The emergency out-of-band (OOB) update, the second this month, is now out and the company notes that this is cumulative in nature too just like other Windows updates, which means admins and users will not need to install any other previous update before installing this OOB update.

Microsoft writes: "An out-of-band (OOB) update was released today, October 23, 2025, to address this issue. This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions. If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead."

• Windows Server 2025 (KB5070881)

• Windows Server, version 23H2 (KB5070879)

• Windows Server 2022 (KB5070884)

• Windows Server 2019 (KB5070883)

• Windows Server 2016 (KB5070882)

• Windows Server 2012 R2 (KB5070886)

• Windows Server 2012 (KB5070887)

   

Micosoft notes that these updates are downloaded and installed automatically.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 24 October 2025 at 6:11 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

At Pwn2Own Ireland 2025, competitors targeted products in eight categories, including printers, network storage systems, messaging apps, smart home devices, surveillance equipment, home networking equipment, flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), and wearable technology (including Meta's Ray-Ban Smart Glasses and Quest 3/3S headsets).

This year's contest also expanded the attack surface to include USB port exploitation on mobile handsets, requiring researchers to hack locked devices via a physical connection. However, traditional wireless protocols like Bluetooth, Wi-Fi, and NFC (near-field communication) remained valid attack vectors.

The hacking contest, co-sponsored by Meta alongside QNAP and Synology, took place from October 21 to October 23 in Cork, Ireland.

Summoning Team won this year's edition of Pwn2Own Ireland with 22 Master of Pwn points and $187,500 earned throughout the three-day event after hacking the Samsung Galaxy S25, the Synology DiskStation DS925+ NAS, the Home Assistant Green, the Synology ActiveProtect Appliance DP320 NAS drive, the Synology CC400W camera, and the QNAP TS-453E NAS device.

Team ANHTUD secured the second position with $76,750 and 11.5 Master of Pwn points, while Team Synactiv took third place with $90,000 in prizes and 11 Master of Pwn points.

On the first day of Pwn2Own Ireland, hackers exploited 34 unique zero-days and collected $522,500 in cash awards. On the second day of the event, they demoed another 22 unique zero-day vulnerabilities for $267.500.

The highlight of the last day was the Samsung Galaxy S25 getting hacked by Interrupt Labs' team via an improper input validation bug, who earned 5 Master of Pwn points and $50,000 after also enabling location tracking and the camera in the process.

While Team Z3 was also scheduled today to demonstrate a WhatsApp Zero-Click remote code execution zero-day, eligible for a $1 million reward, they withdrew from the competition. They chose to disclose their findings privately to ZDI analysts before sharing their research with Meta's engineering team.

The Zero Day Initiative (ZDI) organizes this hacking contest to identify security vulnerabilities before threat actors can exploit them in attacks and coordinate responsible disclosure with the affected vendors. 

After the zero-days are exploited at Pwn2Own, the vendors have 90 days to release patches before Trend Micro's Zero Day Initiative publicly discloses them.

In January 2026, the ZDI will once again be at the Automotive World technology show in Tokyo, Japan, for the third Pwn2Own Automotive contest, again sponsored by Tesla

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 24 October 2025 at 6:06 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Once the world got used to large language model-powered AI chatbots, autonomous AI agents became the next big thing. This past year, video generating models have been having their time in the Sun after rapid improvements. What will be the next hot trend? So-called “world models” that can simulate physical environments?

Maybe. But for now, instead, it’s “AI browsers” designed to supercharge your web experience with machine learning features.

OpenAI is currently trying to will this trend into existence with the release of its own web browser called “ChatGPT Atlas,” which it announced Tuesday. It reeks of a company bereft of exciting ideas, sure, but if anyone can make it a thing, it would be the makers of the world’s most popular chatbot.

New research from the web browser company Brave, however, should dampen the enthusiasm for the tech. In a report released Tuesday, the company outlined glaring security flaws with Perplexity’s Comet Browser, which allows users to take screenshots on websites so a built-in AI can analyze them and answer questions. According to Brave’s findings, the screenshot feature can be a vector for an attack known as a prompt injection, in which a hacker delivers a hidden message to an AI to carry out harmful instructions. These messages can be embedded in malicious webpages designed by the hacker.

In a video demonstration, the Perplexity AI browser is asked “Who is the author?” of a screenshot of a photograph. Within seconds, the AI opens the user’s personal email and visits a website setup by a hacker. The photograph, it turned out, contained text instructions imperceptible to the human eye — but the AI extracted and followed them without distinguishing it from the user’s prompt, according to the researchers.

“The scariest aspect of these security flaws is that an AI assistant can act with the user’s authenticated privileges,” Brave warned. “An agentic browser hijacked by a malicious site can access a user’s banking, work email or other sensitive accounts.”

Prompt injection attacks aren’t new, and have been a cause for concern ever since ChatGPT exploded the popularity of LLMs.

But the stakes of the havoc they can wreak have been raised with the advent of autonomous AI models, or agents, that can control a user’s desktop unlike a typical chatbot, enabling them to browse the web and access and change files. 

Now with AI browsers on the horizon, countless more users are just a button-click away from being exposed to these risks that they’re likely oblivious to. A previous report from Brave showed how another prompt injection attack tricked Perplexity’s Comet browser into potentially giving hackers access to your bank account by showing it a single Reddit post.

“AI-powered browsers that can take actions on your behalf are powerful yet extremely risky,” the report warned. The attacks “boil down to a failure to maintain clear boundaries between trusted user input and untrusted Web content when constructing LLM prompts while allowing the browser to take powerful actions on behalf of the user.”

These are problems inherent both to LLMs and their questionable wedding with a web browser. In other words, expect these same vulnerabilities to show up in OpenAI’s AI browser, too — only with millions of more people exposed to them.

Source

The Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the “fastest browser,” that people using it will “avoid privacy leaks” and that the software will help “keep you away from danger.” However, everything likely isn’t as it seems.

The browser, which is linked to Chinese online gambling websites and is thought to have been downloaded millions of times, actually routes all internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

Perhaps most significantly, the Infoblox researchers who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money-laundering, illegal online gambling, human trafficking, and scam operations that use forced labor. The browser itself, the researchers says, is directly linked to a network around major online gambling company BBIN, which the researchers have labeled a threat group they call Vault Viper.

The researchers say the discovery of the browser—plus its suspicious and risky behavior—indicates that criminals in the region are becoming increasingly sophisticated. “These criminal groups, particularly Chinese organized crimes syndicates, are increasingly diversifying and evolving into cyber enabled fraud, pig butchering, impersonation, scams, that whole ecosystem,” says John Wojcik, a senior threat researcher at Infoblox, who also worked on the project when he was a staff member at the UNODC.

“They’re going to continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and concerning, and this is one example of where we see that.”

Under the Hood

The Universe Browser was first spotted—and mentioned by name—by Infoblox and UNODC at the start of this year when they began unpacking the digital systems around an online casino operation based in Cambodia, which was previously raided by law enforcement officials. Infoblox, which specializes in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group.

Tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to Vault Viper activity, Infoblox researchers say in a report shared with WIRED. They also say they examined hundreds of pages of corporate documents, legal records, and court filings with links to BBIN or other subsidiaries. Time and time again, they came across the Universe Browser online.

“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls,” says Maël Le Touz, a threat researcher at Infoblox. The Infoblox report says the browser was “specifically” designed to help people in Asia—where online gambling is largely illegal—bypass restrictions. “Each of the casino websites they operate seem to contain a link and advertisement to it,” Le Touz says.

The Universe Browser itself is mostly offered for direct download from these casino websites—often being linked at the bottom of the websites, next to the logo of BBIN. There are desktop versions available for Windows, as well as an app version in Apple’s App Store. And while it is not in Google’s Play Store, there are Android APK files that allow the app to be directly installed on Android phones. The researchers say multiple parts of the Universe Browser and the code for its apps reference BBIN, and other technical details also reference the company.

The researchers reverse-engineered the Windows version of the browser. They say that while they have been unable to “verify malicious intent,” elements of the browser that they uncovered include many features that are similar to those found malware and tries to evade detection by antivirus tools. When the browser is launched, it “immediately” checks for the user's location, language, and whether it is running in a virtual machine. The app also installs two browser extensions: one of which can allow screenshots to be uploaded to domains linked to the browser.

While online gambling in China is largely illegal, the country also runs some of the world’s strictest online censorship operations and has taken action against illegal gambling rings. While the browser may most often be being used by those trying to take part in illegal gambling, it also puts their data at risk, the researchers say. “In the hands of a malicious actor—a Triad for example—this browser would serve as the perfect tool to identify wealthy players and obtain access to their machine,” the Infoblox report says.

Beyond connecting to China, running key logging, and other programs that run in the background, Infoblox’s report also says multiple functions have been disabled. “The right click, settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features including sandboxing, and the removal of legacy SSL protocols, greatly increasing risk when compared with typical mainstream browsers,” the company’s report says. (SSL, also known as Secure Sockets Layer, is a historic type of web encryption that protected some data transfers.)

It is unclear whether these same suspicious behaviors are present in the iOS and Android versions of the app. A Google spokesperson says the company is looking into the app and confirmed it was not available through its Google Play store. Apple did not respond to requests for comment about the app.

Connect the Dots

The web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. While it was originally founded in Taiwan, the company now has a large base in the Philippines.

BBIN, which also goes by the name Baoying Group and has multiple subsidies, describes itself as a “leading” supplier of iGaming software in Asia. A UNODC report from April, which links BBIN to the Universe Browser but does not formally name the company as Vault Viper, says the firm runs several hotels and casinos in Southeast Asia as well as providing “one of the largest and most successful” iGaming platforms in the region. Over the last decade, BBIN has sponsored or partnered with multiple major European soccer teams, such as Spain’s Atlético de Madrid, Germany’s Borussia Dortmund, and Dutch team AFC Ajax.

In recent years, multiple football clubs in England’s Premier League have faced scrutiny over sponsorship by Asian gambling companies—including by TGP Europe which was owned by Alvin Chau, the chairman and founder of SunCity Group who was sentenced in January 2023 to 18 years in prison after being found guilty of running illegal gambling operations. TGP Europe left the UK earlier this year after being fined by the country’s gambling regulator. Atlético Madrid, Borussia Dortmund, and AFC Ajax did not respond to WIRED requests for comment.

The iGaming industry develops online gambling software, such as virtual poker or other online casino games, that can easily be played on the web or on phones. “BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites,” says Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organized crime. “The only languages it offers are Korean, Japanese and Chinese, which isn’t a great sign as online gambling is either banned or heavily restricted in all three countries.”

“Baoying and BBIN are what I would call a multi-billion dollar gray-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams and cybercrime actors,” alleges Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia. “Aside from what has been estimated at a two-thirds ownership by Alvin Chau of SunCity—arguably the biggest money launderer in the history of Asia—law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, Tian Dao,” Douglas says of BBIN. (When Chau was sentenced in January 2023, court documents pointed to him allegedly owning a 66.67 percent share of Baoying).

BBIN did not respond to multiple requests for comment from WIRED. The firm’s primary contact email address it lists on its website bounced back, while questions sent to another email address and online contact forms, plus attempts to contact two alleged staff members on LinkedIn were not answered by the time of publication. A company Telegram account pointed WIRED to one of the contact forms that did not provide any answers.

The Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines, which tackles organized and international crimes, did not respond to a request for comment from WIRED about BBIN.

Over the last decade, online crime in Southeast Asia has massively surged, driven partially by illegal online gambling and also a series of scam compounds that have been set up across Myanmar, Laos, and Cambodia. Hundreds of thousands of people from more than 60 countries have been tricked into working in these compounds, where they operate scams day and night, stealing billions of dollars from people around the world.

“Scam parks and compounds across the region generally host both online gambling and online scam operations, and the methodology used to lure individuals into opening online gambling accounts parallels that associated with pig-butchering scams,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime.

Last week, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organization, which publicly dealt in real estate but allegedly ran scam facilities in “secret.” One of the sanctioned entities, the Jin Bei Group in Cambodia, which US authorities accused of operating a series of scam compounds, also shows links to BBIN’s technology, Tower says. “There are multiple Telegram groups and casino websites indicating that BBIN partners with multiple entities inside the Jinbei casino,” Tower says, adding that one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”

Over recent years, multiple government press releases and news reports from countries including China and Taiwan, have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime. “There are hundreds of Telegram posts aggressively advertising various illegal Chinese facing gambling sites that say they either are, or are built on, BBIN/Baoying technology, many of them by individuals claiming to operate out of scam and illegal gambling compounds, or as part of the highly illegal, trafficking-driven industry in Cambodia and Northern Myanmar,” says Kennedy from The EyeWitness Project.

While the Universe Browser has most likely been downloaded by those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations are and exposing their links to scamming efforts that operate across the world. “As these operations continue to scale and diversify, they are marked by growing technical expertise, professionalization, operational resilience, and the ability to function under the radar with very limited scrutiny and oversight,” Infoblox’s report concludes.

Source

Microsoft's latest write-up is available on the rather obscure Windows for Business blog, and it highlights how weaknesses in your IT infrastructure can be exploited by malicious actors. The company has emphasized that the end of support for software like Windows 10 does not only mean outdated, but it also means that your system is unprotected. Interestingly, the piece doesn't touch upon the topics of ESU or Microsoft Defender's continued protection at all.

Since it ignores ESU and Microsoft Defender altogether, the blog tries to make the case that legacy systems, which do not receive regular updates, just receive band-aid fixes, which are often not enough. Microsoft cites its own report, which indicates that 90% of ransomware attacks happen due to unmanaged devices that don't have proper security controls configured. The company has noted that outdated systems like Windows 10 create the following blind spots:

• Endpoint security gaps
• Compliance and audit risks
• Access control vulnerabilities
• Data governance breakdowns

Microsoft went on to highlight the gravity of this cybersecurity threat even further by saying that:

Hackers don’t need to break your strongest lock. They just need to wait until you leave a window open. With Windows 10 end of support on the horizon, attackers already know many businesses will lag behind. Every month of delay hands them a predictable advantage: a patchwork of unprotected systems running business-critical workloads.

 

The cost of waiting is steep. Breaches tied to unsupported infrastructure often carry higher remediation costs, longer downtime, and greater reputational damage than attacks on supported platforms. And because compliance frameworks evolve faster than legacy systems, staying put also means falling behind on requirements that affect contracts, customer trust, and even your ability to do business. 

In light of this situation, Microsoft has advised customers to audit their environments, prioritize high-risk endpoints, strengthen temporary defenses in legacy systems, and plan migrations to modern alternatives. The Redmond tech giant believes that technical decision-makers need to be proactive in this regard and address legacy systems as soon as possible.

Of course, during all of this, Microsoft has also seen fit to promote the benefits of Windows 11, which includes Intel vPro hardware, Windows Hello for Business, the Secure Future Initiative (SFI), and Copilot+ PCs, which run AI workloads locally.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 24 October 2025 at 3:18 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Today's highlight was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points.

Also, while PHP Hooligans needed only a single second to hack the QNAP TS-453E NAS device, the vulnerability they exploited had already been used in the contest.

Chumy Tsai of CyCraft Technology, Le Trong Phuc and Cao Ngoc Quy of Verichains Cyber Force, and Mehdi & Matthieu of Synacktiv Team were also awarded $20,000 for breaking into the QNAP TS-453E, Synology DS925+, and the Phillips Hue Bridge.

The contestants also exploited zero-day bugs in the Canon imageCLASS MF654Cdw printer, Home Automation Green, Synology CC400W camera, Synology DS925+ NAS, Amazon Smart plug, and Lexmark CX532adwe printer.

Summoning Team is still at the top of the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event.

On the first day of Pwn2Own Ireland, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. After the competition ends, vendors have 90 days to release patches before ZDI publicly discloses the vulnerabilities.

On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will also attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward. 

Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork.

Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta's Quest 3/3S headsets and Ray-Ban Smart Glasses).

This year's contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection. However, traditional wireless protocols such as Wi-Fi, Bluetooth, and near-field communication (NFC) are still valid attack vectors.

During the Pwn2Own Ireland 2024 event, hackers earned $1,078,750 for over 70 zero-days, with Viettel Cyber Security taking home $205,000 in cash after exploiting QNAP, Sonos, and Lexmark flaws.

In January 2026, the ZDI will return to the Automotive World technology show in Tokyo for the third Pwn2Own Automotive contest,  again sponsored by Tesla

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 23 October 2025 at 11:51 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix